Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction

I got my Debian Guest VM working without dnsmasq.

1.Removed dnsmasq completely.

2.Tried start Guest VM, virt-manager gives error about dnsmasq missing.

3.Edited “default” network xml file.
added: <dns enable="no"/>
removed: dhcp range

4.Tried start Guest VM again, all working.

Same should work with Whonix, since whonix don’t need dns or dhcp.
I hope you guys can fix this in whonix network xmls. And attack surface will be reduced.

2 Likes

My experience was different. After uninstalling dnsmasq-base and modifying default network settings, I ended up with libvirt process instability where it crashed and refused to start-up or let the virtual machine manager GUI to connect to it until

2 Likes

Done:
KVM: Difference between revisions - Whonix

Could you please report this upstream as a bug?

Went ahead and asked upstream on how to do this if possible

https://lists.libvirt.org/archives/list/users@lists.libvirt.org/thread/PVI6KFUVNUKG6FZK7UOHM5PMSIWNHLNC/

1 Like

Nice! I think we’re onto something here…

Suggestions to include in reply, draft:

> It sounds like you're using the old monolithic 'libvirtd' daemon.

How to check that?

> Thus if you're not intending to use the libvirt virtual network feature,
simply don't install its modyle, and then libvirtd will see the module
doesn't exist, and skip the dlopen.

That sounds like something people would do who compile from source code?

We're using libvirtd (9.0.0-4) from Debian package sources. [1]

> If you're using the new modular daemons,

That is libvirtd 9.x or 10.x?

Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging?

[1] packages.debian.org/bookworm/libvirt-daemon

Which Linux distribution did you you? From user name, I suppose Gentoo.

Which version of libvirtd did you use?