Disable systemd DNS resolver feature

phabricator-migrator · February 19, 2024, 5:46pm

Information

ID: 471
PHID: PHID-TASK-crflabmqkelr4jhsrh25
Author: HulaHoop
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

Systemd just gained DNS resolution as a feature. This should be disabled because of potentially negative consequences for anonymity and to reduce attack surface.

https://lists.freedesktop.org/archives/systemd-devel/2016-February/035748.html

Comments

Patrick

2017-01-18 10:55:53 UTC

Patrick

2017-02-05 20:16:14 UTC

Done.

https://github.com/Whonix/anon-gw-dns-conf/commit/9d6a3671b4850238e35be331a4644a12da37b3e1

https://github.com/Whonix/anon-ws-dns-conf/commit/8585dd80ea1934050c6b3a78cce5a7eff8116790

I’ve spent a lot thought on the migration. For new Whonix 14 images, systemd-resolved will never start.

When upgrading Whonix 13 to Whonix 14,

using Release Upgrade - it will not start (since using apt-get-noninteractive that prevents daemon restarts and after reboot the systemd drop-in to prevent its startup will be in place)

when not using apt-get-noninteractive, systemd-resolved would start and keep running until the next reboot
** there won’t be an auto upgrade from Whonix 13 to Whonix 14 since the user has to manually change from jessie to stretch Debian and Whonix repository, so the risk for this to accidentally happen should be low
** otherwise preventing this would be cumbersome and require a lot more code (inventing a postinst running systemd daemon-reload and whatnot)

anonymous1

2017-02-07 07:19:06 UTC

Patrick

2017-02-07 17:01:19 UTC

anonymous1

2017-02-07 17:45:46 UTC