Whonix-Gateway System DNS

From Whonix


DNS on Whonix-Gateway ™[edit]


System DNS here is defined as:

  • resolving DNS,
    • without use of a socksifier such as torsocks,
    • without application proxy settings,
    • without a Tor SocksPort.
  • using the usual mechanisms on Linux for resolving DNS.
  • that are usually configured through configuration file /etc/resolv.conf.
  • that would happen when running nslookup.

All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4]

Whonix-Workstation ™ is configured to use various SocksPorts [archive], DNSPort [archive] and TransPort [archive], see also Stream Isolation. Using system DNS on Whonix-Workstation ™ by default does not require Whonix-Gateway ™ system DNS. [5] Modifications of /etc/resolv.conf on Whonix-Gateway ™ have no effect on Whonix-Workstation ™.

Whonix-Gateway ™ is only configured to use various SocksPorts. A global system DNS resolver to resolve DNS originating from applications running on Whonix-Gateway ™ is not required for any common use case to justify enabling it by default. Use cases where this could be useful include:

  • resolving the hostname of a proxy used in /usr/local/etc/torrc.d/50_user.conf through Tor would be useful (technical explanation [archive])
  • resolving the hostname of a VPN. But then using a VPN configuration using IPs only would be better.
  • Perhaps we could use /etc/hosts for such use cases rather than enabling system DNS?


Advanced users only!
Usually recommended against and unnecessary.

Working. Using Whonix-Gateway ™ user clearnet.

Whonix ™ first time users warning Using the clearnet user, traffic will be sent over normal internet! Not over Tor! Will not be anonymous!

Disable /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate by making it no longer executable so DHCP will write to /etc/resolv.conf. The following command only applies to older versions of Whonix or those who have package anon-gw-dhcp-conf installed.

sudo chmod -x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

Make /etc/resolv.conf mutable. Don't worry if the next command causes an error. It's not required anymore in recent Whonix ™ versions.

sudo chattr -i /etc/resolv.conf

Delete /etc/resolv.conf so we can regenerate it.

sudo rm /etc/resolv.conf

Restart networking.

sudo service networking restart

Login as user clearnet.

sudo su clearnet

Test it, for example using ping.


See Also[edit]


  1. Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
  2. To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
  3. For reader interest: If DNS settings on Whonix-Gateway ™ are changed in /etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation ™ (via /etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ /etc/resolv.conf does not affect Whonix-Workstation ™ DNS requests.
  5. That is because DNS traffic originating from Whonix-Workstation ™ gets redirected to Tor's DNSPort running on Whonix-Gateway ™ by Whonix-Gateway Firewall.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.