Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction

Patrick · August 15, 2024, 8:22pm

Could you try please creating the dummy binary?

File content:

#!/bin/bash
sleep infinity

Place in /usr/sbin/dnsmasq and make executable.

sudo chmod +x /usr/sbin/dnsmasq

nurmagoz · August 17, 2024, 7:56am

It will mess up KVM itself, commands wont run like “virsh” nor VMs gonna show up when you open “Virtual Machine Manager”, it will show instead “QEMU/KVM - Connecting…” and it will be stuck like this for indefinite.

Patrick · August 18, 2024, 8:51am

Thank you!

We now have maxed out what we can do wrt Whonix KVM dnsmasq hardening until Debian addresses this bug.

No more listen port on the host operating system.
No DNS server inside the libvirt network.

dnsmasq-base package on the host operating system (the program only) is not a big deal since no dnsmasq daemon (dnsmasq package) is installed. It’s just 1 extraneous package.

victor10 · October 25, 2024, 8:10pm

@Patrick Any news on this?
It has been several months, will they fix this ? What is timeframe for such bugs to get fixed ?

extraextra · October 25, 2024, 10:12pm

No.

I doubt it. Doesn’t look like it.

Doesn’t exist.

arraybolt3 · September 17, 2025, 4:42am

For some reason, this seems to break IPv6 support in KVM. Whonix-Gateway is able to send router solicitation packets just fine, but libvirt never responds with a router advertisement, which breaks SLAAC and thus the gateway never gets a usable IPv6 address on the external interface. As a result, IPv6 basically works out of the box on VirtualBox, but does not work on KVM without removing this line from the external network configuration.

Will document this, we can research it later.

efol · May 15, 2026, 10:18pm

Warn users that this enables dnsmasq on host?

arraybolt3 · May 16, 2026, 12:04am

Already documented at:

HulaHoop · June 7, 2026, 5:34pm

Update: Disabling the default network on Libvirt disables dnsmasq instances and that can be seen using netstat -tulpen. Since we have moved to qemu:///session we are no longer forced to rely on network bridges nor have to deal with the problems they cause.

HulaHoop · June 8, 2026, 9:13am

For KS host scripting purposes:

To prevent libvirt from altering the firewall, stop and disable the default network. Make sure there are no active virtual machines (VMs) still using this network.

# virsh net-destroy default
# virsh net-autostart --disable default