entr0py:
rewrite:
I see.
This. apt-get leaks and whonix cleans up the mess as expected.
Phew. At least no Whonix leak bug found.
Still trying to decide whether it’s a bug or expected behavior in apt-get. We would prefer this logic:
- check if proxy is configured for host
- use proxy to resolve dns
apt-get:
- resolve dns first
- check if proxy is configured
Very much agreed!
apt-get’s implementation may be correct since dns resolution may be required to check blocked hosts, configured proxies, etc.
I guess that would be a big surprise, violating principle of least
surprise. Should at very least be clearly documented. I guess if so,
would be considered an apt-get bug.
So that solves the issue for templates. Running apt-get in appVMs will leak DNS queries through WORKSTATION_TRANSPARENT_DNS.
Shouldn’t. [*] Does it?
-
In Whonix TemplateBasedVMs, uwt is being used.
-
Only Whonix TemplateVMs use proxy settings (so Qubes UpdatesProxy
mechanism gets used), but also in Whonix TemplateVMs NetVM is set to
noneby default.
Not ideal but not a big issue.
If so: Really wouldn’t be ideal.
Reinforces what we’ve known all along: Never trust application proxy settings!
Agreed.
I’ve been testing vscode with stream isolation using its command line proxy settings.
Nice!
Every program should use uwt.
[*] Since uwt is based on torsocks, it’s not bulletproof either. Not
even close.