I think it’s needed. More on tcpwrapped:
Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.
So two things here:
- We still don’t want a TCP handshake to be completed because unsolicited incoming connections have a higher attack surface than not allowing unsolicited incoming connections.
- Even the information “port 53 tcpwrapped” should not be leaked over the LAN or internet. Could even be deducted “Maybe it’s a Whonix KVM user”.
related:
A writeup on “unsolicited incoming connections” → Opening Ports in Whonix.
I don’t know which one would be applicable here, but here’s a long list of dnsmasq CVEs to review:
Potential solution, untested: