Hi.
In WorkStation I have foxyproxy connected to a Socks5 proxy in Firefox ESR browser with “Send DNS through SOCKS5 proxy” toggled to on in foxyproxy options.
In the terminal on Workstation I run “sudo tcpdump -n -i eth0 port 53”.
Then in FireFox I go to dnsleaktest (DOT) com and run the standard and extended tests which both populate the terminal with DNS traffic going to the Whonix Gateway for “example (DOT) org” and “ipv4only (DOT) arpa”
In testing I found that toggling the about:config option “network.dns.disableIPv6” from false to true reduced the number of request significantly.
Can anyone give me an idea on what is happening or what other about:config changes could help reduce traffic.
I should add that dnsleaks (DOT) com tests show only the SOCKS5 Proxys dns servers so there doesn’t seem to be any issue there. I’m just curious why the requests (2 A record requests with ipv6 dns disabled) are getting through.
Leaks of any sort were the reason why Whonix was invented. To make sure there’s no leaks and all traffic is always routed over Tor.
Whonix installs by default, recommends to use Tor Browser. Other browsers are discouraged. Not because of fear of any IP/DNS leaks but for other reasons as documented here:
What is better, configure the application’s proxy settings or using a proxifier? There can be no generalized answer as this is highly application specific. The most comprehensive documentation of this is the Torify HOWTO. Also a web search could be performed on how to torify applications.
Finding up to date instructions for torification is difficult because developing instructions for torification itself is a difficult process. Someone who understands networking needs to leak test if the torification instructions are actually working. Or if there is a leak which means that portion’s of the applications’s traffic ignore proxy settings and/or circumvent the proxifier and is actually making external connections without using Tor.
Asking for torification instructions for specific applications at Whonix ™ Free Support is probably futile unless it is a premium support request. The Whonix ™ is the wrong recipient for such support requests. One of the main reasons for the inception of the Whonix ™ was that finding, developing and applying torification instructions is so difficult and one never really knows if it is 100% free of leaks. Even seriously reviewed torification instructions for one application would only apply to the very version which was being reviewed. Not to future versions of the application.
The legacy approach of torification of arbitrary applications on the host seems to been largely given up. There are very few edits to the Torify HOWTO over the years. Nowadays some application developers are providing Tor-safe by default applications, i.e. applications designed for use with Tor in mind and not as an afterthought. Examples include Tor Browser and OnionShare. Also if users are asking how to torifiy specific applications and making sure these are leak free, users are probably told “use Whonix”.
My goal isn’t so much to avoid my traffic being linked to a pseudoidentity. I’m trying to create a profile that blends in with the majority instead of using Tor Browser which will make me indistinct but within a very distinctive group that is easily blocked when their IP is identified as an Exit Node.
If I could get your opinion on one more thing. What do you think of Nested Virtualization to solve my problem?
If I could run a browser inside a vm nested in Workstation then I could preserve the iptables rules of workstation that would act as a safeguard and modify the nested vm’s iptables to block all DNS requests. Do you know of any precedents for this?
Thanks for your attention.
I am not aware that such as thing exists. Probably too complex a project. You would need to study existing browser fingerprinting research and defenses. In essence, invent your own Tor Browser. This is outside the scope for Whonix support. And it’s unspecific to Whonix.
B) Nested Virtualization - Kicksecure probably to be avoided due to its inherit issues. Also the slowness of it might contribute to it being trackable.
If you use third-party addons in your browser, and uBlockOrigin is among them, there is a setting in it called Uncloak canonical names. When checked (default), it will leak your dns when using extensions like FoxyProxy. Just in case.
