Hi, I was following the guide KVM and it said to install dnsmasq on the host with all the other packages. Do I need to only have dnsmasq installed or also running?
I am already using sytemd-resolved for the DNSOverTLS and it will conflict if I do have dnsmasq running too.
Any input would be appreciated.
Thanks in advance
Edit: I also noted that I already dnsmasq-base package, not sure if this would be enough.
For what I understand is not needed then? Is just because I was following the guide and it was saying it was needed for every distro.
About the surface attack, maybe a firewall on the host? Or simply not putting the service listening externally?
It’s an open unresolved development ticket, which has apparently stalled. I don’t expect further progress, unless contributed.
Meanwhile documentation is up-to-date according to the latest development status.
Note: I am not a maintainer of Whonix KVM.
According got another user, yes it is mandatory with the way NAT networking is implemented by libvirt to have this package installed and running. He was going to create a dummy stub and change the Whonix networking files to attempt to trick it into running with dnsmasq not being active , but never reported back. Either way it’s too much hassle and not a big deal see why below:
There’s no risk of dnsmasq as installed by libvirt in being exploited because it doesn’t listen on any external interfaces and only responds to guest requests using a limited subset of its functionality. If you are running an untrusted guest, you probably don’t want it on the virbr0 interface that interacts with the clearnet anyway.