When you run for example curl, apt, apt-get and other uwt wrapped applications by default, what happens under the hood, is actually running torsocks curl. Short introduction:
This can be disabled:
Longer explanation:
For Whonix-Workstation to be able to use system default DNS (non-uwt wrappeed applications and/or uwt disabled) (meaning not using a proxifier / socksifier), it requires Whonix-Gateway providing a Tor DnsPort. (See Tor manual for DnsPort.) Furthermore Tor requires traffic to be redirected to Tor’s DnsPort using iptables (or similar). Once Whonix-Gateway firewall is down, this iptables redirection will be non-existing.
The same, simplified, in more generic terms (unspecific to Whonix):
For machine to be able to use system default DNS, it requires a Tor DnsPort. (See Tor manual for DnsPort.) Furthermore Tor requires traffic to be redirected to Tor’s DnsPort using iptables (or similar).
The same is true for system default TCP traffic. (See Tor manual for TransPort.)
This might help too:
- Technical Introduction
- Whonix (by that time still called TorBOX) was originally based on this:
Related:
You’re underway of a great journey of understanding Whonix networking. If you understand most of that, you’ll be in a much better position to judge the (un)likeliness of leaks when using Whonix-Workstation.
And also if you have ideas on how to document this and perhaps even could contribute the required wiki enhancements, that would be great.