Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction

Patrick · August 15, 2024, 8:22pm

Could you try please creating the dummy binary?

File content:

#!/bin/bash
sleep infinity

Place in /usr/sbin/dnsmasq and make executable.

sudo chmod +x /usr/sbin/dnsmasq

nurmagoz · August 17, 2024, 7:56am

It will mess up KVM itself, commands wont run like “virsh” nor VMs gonna show up when you open “Virtual Machine Manager”, it will show instead “QEMU/KVM - Connecting…” and it will be stuck like this for indefinite.

Patrick · August 18, 2024, 8:51am

Thank you!

We now have maxed out what we can do wrt Whonix KVM dnsmasq hardening until Debian addresses this bug.

No more listen port on the host operating system.
No DNS server inside the libvirt network.

dnsmasq-base package on the host operating system (the program only) is not a big deal since no dnsmasq daemon (dnsmasq package) is installed. It’s just 1 extraneous package.

victor10 · October 25, 2024, 8:10pm

@Patrick Any news on this?
It has been several months, will they fix this ? What is timeframe for such bugs to get fixed ?

extraextra · October 25, 2024, 10:12pm

No.

I doubt it. Doesn’t look like it.

Doesn’t exist.