I’m working with Debian as host,
running KVM plus Whonix-Gateway and Whonix-Workstation.
I start every time the iptraf on the Debian system before starting whonix-gateway and whonix-workstation. In this way I can trace the ethernet communication of whonix. My expectation is the whonix exchange the packages only whith the connected TOR-server. Indeed it is the case. But after running the iptraf a little bit longer (60 min) you can see the trace of another one IP address. This behavior is some kind of interesting because the IP address and port are every time the same.
104.238.167.111:443
The reverse DNS search returns the following:
IP address 104.238.167.111
Location Frankfurt am Main, Hesse, Germany (DE) flag
Registry arin
Reverse DNS (PTR record) 104.238.167.111.vultr.com
DNS server (NS record) reversedns.vultr.com (108.61.191.147)
What is going on here? It seems to me that my PC is sending regularly some kind of information to the same host in Internet. Did anybody of you make the similar observation?