Information about Whonix-Gateway System DNS, /etc/resolv.conf, and nslookup. Getting System DNS working on Whonix-Gateway.

Introduction[edit]

System DNS is defined as:

Resolving DNS:
- Without the use of a socksifier such as torsocks,
- Without application proxy settings,
- Without a Tor SocksPort.
Using the standard mechanisms on Linux for DNS resolution.
Typically configured through the configuration file /etc/resolv.conf.
The process that occurs when running nslookup.

All traffic originating from Whonix-Workstation^™ and Whonix-Gateway^™ is routed over Tor. ^[1] ^[2] ^[3] ^[4] ^[5] ^[6] ^[7]

Whonix-Workstation^™ is configured to use various SocksPorts, DNSPort, and TransPort. See also Stream Isolation. By default, using system DNS on Whonix-Workstation^™ does not require Whonix-Gateway system DNS. ^[8] Modifications to /etc/resolv.conf on Whonix-Gateway do not affect Whonix-Workstation.

Whonix-Gateway is only configured to use various SocksPorts. A global system DNS resolver for resolving DNS requests from applications running on Whonix-Gateway isn't necessary for most common use cases, so it isn't enabled by default. Potential use cases where this could be beneficial include:

Resolving the hostname of a proxy specified in /usr/local/etc/torrc.d/50_user.conf via Tor (technical explanation).
Resolving the hostname of a VPN. However, a VPN configuration using only IPs would be more suitable.
One could consider using /etc/hosts for such scenarios instead of enabling system DNS.

Whonix-Gateway Default System DNS Setting[edit]

As of this writing, no DNS server is pre-configured.

To verify this, users can run the command below. This command will display all lines in the system DNS configuration file /etc/resolv.conf except those that are commented out (lines starting with a hash ("#")).

cat /etc/resolv.conf | grep --invert-match \#

Modifying this configuration may be safe, beneficial, and necessary for certain use cases such as Bridges, pluggable transports, simplified meek and snowflake support. ^[9]

Whonix-Gateway System DNS Configuration[edit]

Whonix-Gateway System DNS over Clearnet

Setup

Notes:

This is generally not recommended and is often unnecessary.
However, it simplifies the setup when using Bridges with Snowflake.

Clearnet Whonix-Gateway System DNS.

1. Apply the following changes to Whonix-Gateway^™.

Open file /etc/resolv.conf in an editor with root rights.

This box uses sudoedit for better security.

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

This is just an example. Other tools could achieve the same goal.
If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

2. Uncomment the line #nameserver 10.0.2.3.

Remove the hash ("#") before nameserver. This means you should change #nameserver 10.0.2.3 to nameserver 10.0.2.3.

3. Follow platform-specific steps:

Non-Qubes-Whonix: Done.
Qubes-Whonix^™: This should typically work. If not, refer to the footnote. ^[10]

4. Done.

The configuration for Whonix-Gateway System DNS is complete.

Test

Notes:

If you're using Snowflake, testing this is typically unnecessary.

To test, use the Whonix-Gateway user named clearnet.

Be cautious: When using the clearnet user account, traffic will bypass Tor and use the standard internet, compromising anonymity!

Run bash as user clearnet.

^[11]

sudo -u clearnet bash

To verify, you can use a tool like ping:

ping google.com

Whonix-Gateway System DNS over Tor

This approach is generally not recommended and is often unnecessary.

Torified Whonix-Gateway System DNS.

Undocumented.

Footnotes[edit]

↑ Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.
↑ For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.
↑ For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).
↑ Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.
↑ Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.
↑ Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.
↑
Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.
↑ This is because DNS traffic originating from Whonix-Workstation is redirected to Tor's DNSPort running on Whonix-Gateway by the Whonix-Gateway Firewall.
↑ https://forums.whonix.org/t/censorship-circumvention-tor-pluggable-transports/2601/40
↑
Replace 10.0.2.3.
- - To identify the IP to substitute, execute the command below:
  - qubesdb-read /qubes-netvm-primary-dns
  - For example, the output might be:
  - 10.139.1.1
  - In this case, replace 10.0.2.3 with 10.139.1.1. Note: Use the actual IP from the output of the qubesdb-read /qubes-netvm-primary-dns command.
↑ This is analogous to logging in as the user clearnet.

Whonix

The most watertight privacy operating system in the world.

Dark mode

FREE · PLUS · PREMIUM Support

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012-2023 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 11 year success story and maybe DONATE!

[1] Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.

[2] For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.

[3] For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).

[4] Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.

[5] Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.

[6] Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.

[7] Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
Proxy settings that use proxies with domain names instead of IP addresses.

Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[8] Proxy settings that use proxies with domain names instead of IP addresses.

[9] Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[8] This is because DNS traffic originating from Whonix-Workstation is redirected to Tor's DNSPort running on Whonix-Gateway by the Whonix-Gateway Firewall.

[9] ttps://forums.whonix.org/t/censorship-circumvention-tor-pluggable-transports/2601/40

[10] Replace 10.0.2.3.
To identify the IP to substitute, execute the command below:

qubesdb-read /qubes-netvm-primary-dns

For example, the output might be:

10.139.1.1

In this case, replace 10.0.2.3 with 10.139.1.1. Note: Use the actual IP from the output of the qubesdb-read /qubes-netvm-primary-dns command.

[13] To identify the IP to substitute, execute the command below:

qubesdb-read /qubes-netvm-primary-dns

For example, the output might be:

10.139.1.1

In this case, replace 10.0.2.3 with 10.139.1.1. Note: Use the actual IP from the output of the qubesdb-read /qubes-netvm-primary-dns command.

[14] To identify the IP to substitute, execute the command below:

[15] qubesdb-read /qubes-netvm-primary-dns

[16] For example, the output might be:

[17] 10.139.1.1

[18] In this case, replace 10.0.2.3 with 10.139.1.1. Note: Use the actual IP from the output of the qubesdb-read /qubes-netvm-primary-dns command.

[11] This is analogous to logging in as the user clearnet.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

Whonix-Gateway System DNS

Contents

Introduction[edit]

Whonix-Gateway Default System DNS Setting[edit]

Whonix-Gateway System DNS Configuration[edit]

Whonix-Gateway System DNS over Clearnet

Setup

Non-Qubes-Whonix^™

Qubes-Whonix^™

Others and Alternatives

Test

Whonix-Gateway System DNS over Tor

See Also[edit]

Footnotes[edit]

Navigation menu

Whonix-Gateway System DNS

Introduction[edit]

Whonix-Gateway Default System DNS Setting[edit]

Whonix-Gateway System DNS Configuration[edit]

Whonix-Gateway System DNS over Clearnet

Setup

Non-Qubes-Whonix™

Qubes-Whonix™

Others and Alternatives

Test

Whonix-Gateway System DNS over Tor

See Also[edit]

Footnotes[edit]

Navigation menu

Non-Qubes-Whonix^™

Qubes-Whonix^™