Thanks for leak tests page but I am still in a tight situation due being unsure if DHCP is really disabled or no and thus still trapped and cannot use Whonix for anything sensitive.
Do you know when will @HulaHoop will answer my question?
If you could tell me how to disable DHCP in virtualbox port of Whonix It might help me figure this out myself
Whonix VirtualBox doesn’t use DHCP. For more detailed Whonix VirtualBox question please open separate, new (a) forum thread(s).
No, I don’t know that.
Also an option is it will not be replied to as per:
Bug Reports, Software Development and Feature Requests chapter Support Request Policy in Whonix wiki
I made sure that Whonix KVM does not run or need DHCP in any way shape or form to function. That is why you need to also import an extra external network settings file since all IPs are static and hardcoded.
1 Like
Thanks for clearing that out! But why does dnsmasq run with this libvirtd “DHCP lease script” (that is actually a binary) ? While we are at it would be nice to clear out why is dnsmasq is needed as well (separate questions)
On the KVM wiki page under chapter Optional there is a chapter DHCP.
https://www.whonix.org/wiki/KVM#DHCP
Did you see that already?
Quote Whonix ™ for KVM chapter Debian in Whonix wiki (bold added):
For Debian bullseye+ on Intel / AMD you need to install:
sudo apt install --no-install-recommends qemu-kvm libvirt-daemon-system libvirt-clients virt-manager gir1.2-spiceclientgtk-3.0 dnsmasq qemu-utils
What’s the purpose of package dnsmasq in the installation list?
Is it optional?
Can KVM work without that package being installed?
I don;t know the details of dnsmasq’s functionality, but I have confirmed from sources in documentation and technical forums that a very limited subset of functionality of dnsmasq is being exposed to libvirtd. dnsmasq is what the KVM team settled on to handle DHCP leases and DNS request resolution.
It is needed for the normal functioning of the default NAT network that Kicksecure or other generic distro VMs use to connect. The fact that it’s installed has no bearing on the code running within Whonix and cannot be abused to unmask you. Gutting it out would require a lot of manual reconfiguratoin of the VMs and host to restore connectivity and is beyond the scope of Whonix support.
1 Like
No not really.
1 Like
Yes and it was not helpful
I mentioned earlier that I am not allowed to tell you why I need to disable DHCP but it is very important. I also mentioned that I am not using DHCP on my host so manual reconfiguration is limited to I guess only Gateway so it shouldn’t be out of scope? Any pointers will help
Didn’t you say it is possible to have dnsmasq removed but requires alot of manual reconfiguration? I am confused
Maybe it’s possible. But even if it is, it seems an impasse was reached here. As per:
Therefore the only way forward that I can see here is:
Bug Reports, Software Development and Feature Requests chapter Generic Bug Reproduction in Whonix wiki
- “forget” about Whonix
- make KVM work without dnsmasq using Debian (stable)
- make KVM work (using Debian (stable)) with a network configuration similar to Whonix-Gateway without dnsmasq
If you find out more, please keep us posted. Could be interesting and might be considered for future development.
1 Like
Since that seems a different issue, I moved it to [INVALID] Whonix KVM Security Bug Report - SPICE remote desktop protocol listening on all network interfaces
The title of the other forum thread will most likely be improved after the (potential) issue has been published.
A post was split to a new topic: Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction
Also a separate forum thread was created:
That thread is not related to the issue I reported. And I feel like it undermines how critical that report was. I can literally hack Whonix users I don’t even know with 0 effort
Your thread is not needed, please see Whonix for KVM
Seems like you missed this:
4 posts were split to a new topic: Whonix KVM Security Bug Report
And this:
In other words:
- A) please publish your previously private report in this forum thread: [INVALID] Whonix KVM Security Bug Report - SPICE remote desktop protocol listening on all network interfaces
- B) this is a different forum thread from A): Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction
1 Like
You are right I missed the topic split, thanks.
1 Like