How to disable DHCP in Whonix and ensure no leaks

Thanks for leak tests page but I am still in a tight situation due being unsure if DHCP is really disabled or no and thus still trapped and cannot use Whonix for anything sensitive.

Do you know when will @HulaHoop will answer my question?

If you could tell me how to disable DHCP in virtualbox port of Whonix It might help me figure this out myself

Whonix VirtualBox doesn’t use DHCP. For more detailed Whonix VirtualBox question please open separate, new (a) forum thread(s).

No, I don’t know that.

Also an option is it will not be replied to as per:
Bug Reports, Software Development and Feature Requests chapter Support Request Policy in Whonix wiki

I think it will not be replied to due fact @HulaHoop has not been seen for more than a month

I made sure that Whonix KVM does not run or need DHCP in any way shape or form to function. That is why you need to also import an extra external network settings file since all IPs are static and hardcoded.

1 Like

Thanks for clearing that out! But why does dnsmasq run with this libvirtd “DHCP lease script” (that is actually a binary) ? While we are at it would be nice to clear out why is dnsmasq is needed as well (separate questions)

On the KVM wiki page under chapter Optional there is a chapter DHCP.

https://www.whonix.org/wiki/KVM#DHCP

Did you see that already?

Quote Whonix ™ for KVM chapter Debian in Whonix wiki (bold added):

For Debian bullseye+ on Intel / AMD you need to install:

sudo apt install --no-install-recommends qemu-kvm libvirt-daemon-system libvirt-clients virt-manager gir1.2-spiceclientgtk-3.0 dnsmasq qemu-utils

What’s the purpose of package dnsmasq in the installation list?

Is it optional?

Can KVM work without that package being installed?

@HulaHoop

I don;t know the details of dnsmasq’s functionality, but I have confirmed from sources in documentation and technical forums that a very limited subset of functionality of dnsmasq is being exposed to libvirtd. dnsmasq is what the KVM team settled on to handle DHCP leases and DNS request resolution.

It is needed for the normal functioning of the default NAT network that Kicksecure or other generic distro VMs use to connect. The fact that it’s installed has no bearing on the code running within Whonix and cannot be abused to unmask you. Gutting it out would require a lot of manual reconfiguratoin of the VMs and host to restore connectivity and is beyond the scope of Whonix support.

1 Like

No not really.

1 Like

Yes and it was not helpful

I mentioned earlier that I am not allowed to tell you why I need to disable DHCP but it is very important. I also mentioned that I am not using DHCP on my host so manual reconfiguration is limited to I guess only Gateway so it shouldn’t be out of scope? Any pointers will help

Didn’t you say it is possible to have dnsmasq removed but requires alot of manual reconfiguration? I am confused

Maybe it’s possible. But even if it is, it seems an impasse was reached here. As per:

Therefore the only way forward that I can see here is:
Bug Reports, Software Development and Feature Requests chapter Generic Bug Reproduction in Whonix wiki

  1. “forget” about Whonix
  2. make KVM work without dnsmasq using Debian (stable)
  3. make KVM work (using Debian (stable)) with a network configuration similar to Whonix-Gateway without dnsmasq

If you find out more, please keep us posted. Could be interesting and might be considered for future development.

1 Like

4 posts were split to a new topic: Whonix KVM Security Bug Report

Since that seems a different issue, I moved it to [INVALID] Whonix KVM Security Bug Report - SPICE remote desktop protocol listening on all network interfaces

The title of the other forum thread will most likely be improved after the (potential) issue has been published.

A post was split to a new topic: Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction

Also a separate forum thread was created:

That thread is not related to the issue I reported. And I feel like it undermines how critical that report was. I can literally hack Whonix users I don’t even know with 0 effort

Your thread is not needed, please see Whonix ™ for KVM

Seems like you missed this:

4 posts were split to a new topic: Whonix KVM Security Bug Report

And this:

In other words:

1 Like

You are right I missed the topic split, thanks.

1 Like