I was reviewing Anon Connection Wizard and it looks like it sets DisableNetwork to 1 in the tor config to prevent traffic leaking. In the Tor documentation it says “Tor will make still certain network-related calls (like DNS lookups) as a part of its configuration process, even if DisableNetwork is set.”
Does Anon Connection Wizard do anything to prevent these leaks?
Interesting.
For reference:
Quote tor(1) — tor — Debian bullseye-backports — Debian Manpages
DisableNetwork 0|1
When this option is set, we don’t listen for or accept any connections other than controller connections, and we close (and don’t reattempt) any outbound connections. Controllers sometimes use this option to avoid using the network until Tor is fully configured. Tor will make still certain network-related calls (like DNS lookups) as a part of its configuration process, even if DisableNetwork is set.
The short answer for Anon Connection Wizard (ACW) is:
No, it doesn’t.
And also, might sound a bit strange but I will elaborate…
No, it cannot. And it should not. It’s conceptually not the correct tool for this task. Further elaboration:
(Not 100% on topic but very similar.)
Troubleshooting - Whonix chapter Unsuitable Connectivity Troubleshooting Tools in Whonix wiki
In short, ACW is just a simple tool to configure Tor using existing possibilities that users could also apply manually.
However, if there was a setting such as DisableNetworkForReal 1 then ACW should use it.
As for the following very specific part…
At least DNS lookups are covered / protected / avoided. That is because Whonix-Gateway at time of writing has no functional system DNS for its own traffic by design.
(Details: Whonix-Gateway System DNS - Whonix)
If Tor would make other network related calls, then I would’t know any method to block these.
Could you please report a bug against Tor at The Tor Project (if none exists yet)?
As per:
https://www.whonix.org/wiki/Free_Support_Principle
Moderation comment: I will also rename Anon Connection Wizard Leak? That’s because it’s not really a leak in ACW. It’s a bug / leak in Tor itself ignoring DisableNetwork 1.
Whonix documentation is implicitly covering this already (just not yet the specific example but I will add it):