Hello, I am running Whonix well. I followed the host security documentation, deleting all services that open ports and setting up the firewall so that it denies incoming connections.
Should I be worried about dnsmasq on port 53? I ran Wireshark and whenever I do apt-get update for the host, my machine communicates outgoing DNS packets to my ISP’s nameserver through port 53, the same port as dnsmasq. This communication happens only when I run apt-get update. I Torify my apt traffic with the (apt transport tor) package and onion addresses. In my /etc/resolv.conf folder it shows my ISP nameservers, this is to what my machine sends DNS packets. I don’t want any leaks of information. I hope my English is clear. Any help and advice is appreciated, thanks.
The Wireshark output is something like this:
Source (me) Destination (ISP server) | standard query (xxxxxxx) srv_socks.localhost
Source (ISP server) Destination (me) | standard query response (xxxxxxxx) no such name srv_socks.localhost SOA localhost
Debian Stretch. I did another small test, I just blocked outgoing connections on that port, therefore no DNS packets are sent when I do apt-get update. Updating the package lists seems to work the same, and without any leaks (Wireshark proves it), but is there a risk I have missed if I deny outgoing on that port?.
Also, IIRC, dnsmasq installs by default when one installs the Tor packages with apt-get, so I’m not sure if it’s needed to resolve DNS with Tor. Hopefully there is no risk by its removal or by the blocking of its default ports.
Thanks for the advice HulaHoop, I will post on the Tor mailing list and respond to this topic after I learn more.
Checking my Stretch host I couldn’t see the same behavior - so it might be an odd configuration on your box. Can you post your apt source list? You must change repo addresses to tor+http:// or tor:// to make it connect thru apt-transport-tor.
dnsmasq is actually a recommended package that gets installed with qemu-kvm. Without it you can’t connect VMs that have an NAT network to the outside world unless you assign a static IP. This shouldn’t matter for Whonix 14+ since the GW will have a static IP but for other plain distros you might install you won’t have connectivity out of the box.
dnsmasq is a PITA anyway because it opens ports on your system and if you aren’t running ufw you will increase your host’s attack surface. If you run only Whonix I recommend dumping it at some point when 14 comes out.
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main contrib non-free
deb-src tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main contrib non-free
deb tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
deb-src tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
deb tor+http://vwakviie2ienjx6t.onion/debian stretch-updates main contrib non-free
deb-src tor+http://vwakviie2ienjx6t.onion/debian stretch-updates main contrib non-free
Thanks HulaHoop for taking the time. Do you mean that you also used a packet sniffer to check for outgoing DNS packet communication? Also, was there a server address in your /etc/resolv.conf file?