Whonix KVM dnsmasq - listen port on host operating system - attack surface reduction

Patrick · August 15, 2024, 8:22pm

Could you try please creating the dummy binary?

File content:

#!/bin/bash
sleep infinity

Place in /usr/sbin/dnsmasq and make executable.

sudo chmod +x /usr/sbin/dnsmasq

nurmagoz · August 17, 2024, 7:56am

It will mess up KVM itself, commands wont run like “virsh” nor VMs gonna show up when you open “Virtual Machine Manager”, it will show instead “QEMU/KVM - Connecting…” and it will be stuck like this for indefinite.

Patrick · August 18, 2024, 8:51am

Thank you!

We now have maxed out what we can do wrt Whonix KVM dnsmasq hardening until Debian addresses this bug.

No more listen port on the host operating system.
No DNS server inside the libvirt network.

dnsmasq-base package on the host operating system (the program only) is not a big deal since no dnsmasq daemon (dnsmasq package) is installed. It’s just 1 extraneous package.

victor10 · October 25, 2024, 8:10pm

@Patrick Any news on this?
It has been several months, will they fix this ? What is timeframe for such bugs to get fixed ?

extraextra · October 25, 2024, 10:12pm

No.

I doubt it. Doesn’t look like it.

Doesn’t exist.

arraybolt3 · September 17, 2025, 4:42am

For some reason, this seems to break IPv6 support in KVM. Whonix-Gateway is able to send router solicitation packets just fine, but libvirt never responds with a router advertisement, which breaks SLAAC and thus the gateway never gets a usable IPv6 address on the external interface. As a result, IPv6 basically works out of the box on VirtualBox, but does not work on KVM without removing this line from the external network configuration.

Will document this, we can research it later.