Whonix-Gateway System DNS
From Whonix
DNS on Whonix-Gateway ™[edit]
Introduction[edit]
System DNS here is defined as:
- resolving DNS,
- without use of a socksifier such as
torsocks, - without application proxy settings,
- without a Tor
SocksPort.
- without use of a socksifier such as
- using the usual mechanisms on Linux for resolving DNS.
- that are usually configured through configuration file
/etc/resolv.conf. - that would happen when running
nslookup.
All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4]
Whonix-Workstation ™ is configured to use various SocksPorts [archive], DNSPort [archive] and TransPort [archive], see also Stream Isolation. Using system DNS on Whonix-Workstation ™ by default does not require Whonix-Gateway ™ system DNS. [5] Modifications of /etc/resolv.conf on Whonix-Gateway ™ have no effect on Whonix-Workstation ™.
Whonix-Gateway ™ is only configured to use various SocksPorts. A global system DNS resolver to resolve DNS originating from applications running on Whonix-Gateway ™ is not required for any common use case to justify enabling it by default. Use cases where this could be useful include:
- resolving the hostname of a proxy used in
/usr/local/etc/torrc.d/50_user.confthrough Tor would be useful (technical explanation [archive]) - resolving the hostname of a VPN. But then using a VPN configuration using IPs only would be better.
- Perhaps we could use
/etc/hostsfor such use cases rather than enabling system DNS?
How[edit]
Advanced users only!
Usually recommended against and unnecessary.
Working. Using Whonix-Gateway ™ user clearnet.
Using the clearnet user, traffic will be sent over normal internet! Not over Tor! Will not be anonymous!
Disable /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate by making it no longer executable so DHCP will write to /etc/resolv.conf. The following command only applies to older versions of Whonix or those who have package anon-gw-dhcp-conf installed.
sudo chmod -x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
Make /etc/resolv.conf mutable. Don't worry if the next command causes an error. It's not required anymore in recent Whonix ™ versions.
sudo chattr -i /etc/resolv.conf
Delete /etc/resolv.conf so we can regenerate it.
sudo rm /etc/resolv.conf
Restart networking.
sudo service networking restart
Login as user clearnet.
sudo su clearnet
Test it, for example using ping.
ping google.com
See Also[edit]
Footnotes[edit]
- ↑ Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
- ↑ To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
- ↑
For reader interest: If DNS settings on Whonix-Gateway ™ are changed in
/etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own TorSocksPort(see Stream Isolation). - ↑
Whonix-Workstation ™ default applications are configured to use separate Tor
SocksPorts(see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for examplenslookup- will use the default DNS server configured in Whonix-Workstation ™ (via/etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™/etc/resolv.confdoes not affect Whonix-Workstation ™ DNS requests. - ↑
That is because DNS traffic originating from Whonix-Workstation ™ gets redirected to Tor's
DNSPortrunning on Whonix-Gateway ™ by Whonix-Gateway Firewall.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.