just trying out whonix 14 and found that apt update fails on the gateway because there is no dns resolution for security.debian.org and ftp.us.debian.org which are both in /sources.d/debian.list along with onion mirrors which connect fine.
is this just a hangover from testing with dns turned on and will be changed upon release and they should be commented out?
There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or the user is the victim of a man-in-the-middle attack.  The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.
maybe it is a misunderstanding, but I thought that the gateway should only connect to .onion servers. i realise looking at my original post that I did not mention that this was on the gateway… key detail there
the dns for the gateway points to local addresses not assigned to anything.
@kuruu Please disregard all of my posts in this thread. They have nothing to do with your issue. Given that you’re using virtualbox, we need to start over from the beginning. Unfortunately, I don’t have access to a virtualbox setup and I’m also behind in Whonix 14 knowledge. Maybe @tempest can help?
For virtualbox users, it matters whether you use apt or apt-get. apt-get is torrified. apt will try to communicate over clearnet, which Whonix-Gateway does not allow. Whonix-Gateway can optionally torrify your clearnet traffic but as you stated earlier, you have not changed the defaults: GATEWAY_TRANSPARENT_TCP=0; GATEWAY_TRANSPARENT_DNS=0. apt should simply fail.
There are 2 things happening that I don’t understand:
Your nameserver should be set to 127.0.0.1 instead of:
In practice, this probably only matters if you enable GATEWAY_TRANSPARENT_DNS since all other traffic will be directed by uwt to localhost:SocksPort.
apt should fail and it does for clearnet but it succeeds for onion repos. Is that intended behavior from Whonix-Gateway? What proxy does non-Qubes-Whonix use for Acquire:tor:proxy?
By the way… Some addendum on technical details only.
Whonix-Gateway’s own traffic could be transparently torified (currently it has no system default networking, all is socksified pointing to Tor).
GATEWAY_TRANSPARENT_DNS alone is not enough to make DNS work on Whonix-Gateway. Please see whonix-firewall source code for the limited things that it does. User user, root user and others besides user clearnet would still be firewall restricted by default. You’d have to allow the root user (another whonix-firewall configuration option) to be able to connect and disable uwt for apt-get Disable Stream Isolation: Easy.
/etc/resolv.conf would have to be pointed to nameserver 127.0.0.1.
Right. I understand that apt-get is socksified. But OP is using apt update, so my reply was regarding expected behavior with apt. Am I misunderstanding how apt works? It should fail completely but it is somehow able to retrieve the onion repos.