Jump to: navigation, search

Whonix-Gateway System DNS

This page contains changes which are not marked for translation.

DNS on Whonix-Gateway[edit]


Advanced users only!
Usually recommended against and unnecessary.

All traffic from Whonix-Workstation and Whonix-Gateway is routed over Tor. [1] [2] [3] [4]

Whonix-Workstation is configured to use various SocksPorts, DnsPort and TransPort, see also Stream Isolation. Whonix-Gateway is only configured to use various SocksPorts. A global system DNS resolver isn't required for Whonix-Gateway for any common use case to justify enabling it by default. Use cases where this could be useful include:

  • resolving the hostname of a proxy used in /etc/tor/torrc through Tor would be useful (technical explanation)
  • resolving the hostname of a VPN. But then using a VPN configuration using IPs only would be better.
  • Perhaps we could use /etc/hosts for such use cases rather than enabling system DNS?


Working. Using Whonix-Gateway's user clearnet.

sudo chmod -x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

sudo chattr -i /etc/resolv.conf

sudo rm /etc/resolv.conf

sudo service networking restart

sudo su clearnet

Test it, for example using ping.

ping google.com

See Also[edit]


  1. Since Whonix 0.2.1 also the Whonix-Gateway traffic is routed over Tor. This prevents telling the world that the user is a Whonix user.
  2. To preserve anonymity of activities the user is doing inside Whonix-Workstation, it would not be required to torify Whonix-Gateway's own traffic.
  3. For your interest: if you were to change DNS settings on Whonix-Gateway in /etc/resolv.conf, this would only affect Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. Actually, by default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway issuing network traffic (apt-get, whonixcheck, timesync) are explicitly configured (or forced by uwt wrappers) to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation's default applications are configured to use separate Tor SocksPort's (see Stream Isolation), thus not using the system's default DNS resolver. Any applications on Whonix-Workstation, not configured for stream isolation (for example nslookup), will use the default DNS server configured in Whonix-Workstation in /etc/network/interfaces, which is Whonix-Gateway. Those DNS requests will be redirected to Tor's DnsPort by Whonix-Gateway's firewall. (Therefore Whonix-Gateway's /etc/resolv.conf does not affect Whonix-Workstation's DNS requests.)

Random News:

Do you wonder why Whonix will always be free? Check out Why Whonix is Free Software.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.