dnsmasq on the host operating system is increasing the attack surface.
How did I find that out?
Check open ports and write them to a file.
sudo netstat -tulpen > old
Install packages required for Whonix KVM according to Whonix KVM documentation.
Check open ports again and write them to a different file.
sudo netstat -tulpen > new
Use any (graphical) diff viewer of your choice.
meld old new
dnsmasq opens a listen port on the host operating system that is reachable from LAN and from the Internet (if not using a NAT router or host operating system firewall)
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 19969 1975/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 0 19971 1975/dnsmasq
Whonix KVM TODO: Include instructions how to configure dnsmasq to listen on localhost only (if no way to get rid of it completely).
NOTE: I am not a maintainer of Whonix KVM.