There’s no absolute security anywhere. Best available is:
See also:
This documentation is a crash course in anonymity and security on the Internet. Whonix ™ is a technological means to anonymity, but staying safe necessitates complete behavioral change; it is a complex problem without an easy solution. The more you know, the safer you can be.
Then even learning about these tools would be dangerous. Be careful. I am not sure any software based solution can help you if the stakes are that high.
Note: I am not a maintainer of Whonix KVM so I cannot answer the main question.
Thanks for leak tests page but I am still in a tight situation due being unsure if DHCP is really disabled or no and thus still trapped and cannot use Whonix for anything sensitive.
Do you know when will @HulaHoop will answer my question?
I made sure that Whonix KVM does not run or need DHCP in any way shape or form to function. That is why you need to also import an extra external network settings file since all IPs are static and hardcoded.
Thanks for clearing that out! But why does dnsmasq run with this libvirtd “DHCP lease script” (that is actually a binary) ? While we are at it would be nice to clear out why is dnsmasq is needed as well (separate questions)
I don;t know the details of dnsmasq’s functionality, but I have confirmed from sources in documentation and technical forums that a very limited subset of functionality of dnsmasq is being exposed to libvirtd. dnsmasq is what the KVM team settled on to handle DHCP leases and DNS request resolution.
It is needed for the normal functioning of the default NAT network that Kicksecure or other generic distro VMs use to connect. The fact that it’s installed has no bearing on the code running within Whonix and cannot be abused to unmask you. Gutting it out would require a lot of manual reconfiguratoin of the VMs and host to restore connectivity and is beyond the scope of Whonix support.
I mentioned earlier that I am not allowed to tell you why I need to disable DHCP but it is very important. I also mentioned that I am not using DHCP on my host so manual reconfiguration is limited to I guess only Gateway so it shouldn’t be out of scope? Any pointers will help
Didn’t you say it is possible to have dnsmasq removed but requires alot of manual reconfiguration? I am confused
That thread is not related to the issue I reported. And I feel like it undermines how critical that report was. I can literally hack Whonix users I don’t even know with 0 effort