Unfortunately I have to raise one point here. We could make a meaningful distinction between:
- A) ISP level network fingerprint analysis versus leaking “user of dnsmasq or something similar, maybe a Whonix user?” versus,
- B) Leaking that information to anyone who can use a port scanner over LAN (if using a WiFi hotspot or big LAN or LAN based ISP) or even over WAN (if not using a NAT router and/or compromised NAT router).
We cannot do anything about A) (as per TCP linux-hardened fingerprinting) but B) is avoidable. For that, either
- 1) dnsmasq would need to be avoided, or
- 2) Whonix KVM documentation could include instructions on how to setup a host firewall since specifically important due to dnsmasq.
Whonix-Gateway requires neither
- X) DHCP, nor
- Y) DNS.
DHCP:
DHCP isn’t needed by Whonix-Gateway because whonix-gw-network-conf/etc/network/interfaces.d/30_non-qubes-whonix at master · Whonix/whonix-gw-network-conf · GitHub is using static networking - no DHCP needed since many Whonix versions.
DNS:
DNS isn’t needed by Whonix-Gateway because Tor does not require DNS.
(Except perhaps for some pluggable transports
Related: Whonix-Gateway System DNS - Whonix
So I don’t understand why Whonix KVM requires dnsmasq.