NXDOMAIN when no IPv6 available for domain

JaFu0815 · April 15, 2023, 9:51pm

Hello!
I’ve set up a Whonix Gateway KVM and a debian mashine which connects via it. I noticed that DNS-lookups without an awnser do not yield NOERROR as usual but a NXDOMAIN error instead:

root@CT122:~# dig check.torproject.org @10.152.152.10 A

; <<>> DiG 9.16.15-Debian <<>> check.torproject.org @10.152.152.10 A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39257
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;check.torproject.org.          IN      A

;; ANSWER SECTION:
check.torproject.org.   3384    IN      A       116.202.120.181

;; Query time: 312 msec
;; SERVER: 10.152.152.10#53(10.152.152.10)
;; WHEN: Sat Apr 15 21:46:41 UTC 2023
;; MSG SIZE  rcvd: 54

root@CT122:~# dig check.torproject.org @10.152.152.10 AAAA

; <<>> DiG 9.16.15-Debian <<>> check.torproject.org @10.152.152.10 AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64602
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;check.torproject.org.          IN      AAAA

;; Query time: 236 msec
;; SERVER: 10.152.152.10#53(10.152.152.10)
;; WHEN: Sat Apr 15 21:46:43 UTC 2023
;; MSG SIZE  rcvd: 38

Compared to a non-tor-dns-lookup:

root@non-tor-machine:~# dig check.torproject.org @1.1.1.1 A

; <<>> DiG 9.16.33-Debian <<>> check.torproject.org @1.1.1.1 A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4760
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;check.torproject.org.          IN      A

;; ANSWER SECTION:
check.torproject.org.   2428    IN      A       116.202.120.181

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 15 23:49:33 CEST 2023
;; MSG SIZE  rcvd: 65

root@non-tor-machine:~# dig check.torproject.org @1.1.1.1 AAAA

; <<>> DiG 9.16.33-Debian <<>> check.torproject.org @1.1.1.1 AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46168
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;check.torproject.org.          IN      AAAA

;; AUTHORITY SECTION:
torproject.org.         3386    IN      SOA     nevii.torproject.org. hostmaster.torproject.org. 2023041263 10800 3600 1814400 3601

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 15 23:49:35 CEST 2023
;; MSG SIZE  rcvd: 102

On debian this leads to slow DNS-resolution and on Alpine could not resolve are everywhere. Is this the default behaviour or did I misconfigure something? Is there a way to fix this?

Probably related to DNSPort is broken on Alpine-Linux since 3.13 (#40248) · Issues · The Tor Project / Core / Tor · GitLab

Patrick · April 16, 2023, 12:51pm

Since Whonix is based on Tor, Whonix will inherit all limitations by Tor. This could be a limitation by Tor. This will most likley require Generic Bug Reproduction.

Patrick · April 16, 2023, 12:52pm