Incomplete DNS answers in sys-whonix

Ilka · January 25, 2022, 7:46pm

DNS resolution (e.g. with dig) works fine in the VMs connected to the internet directly via sys-firewall but in VMs connected to sys-whonix, I can not request any DNS entries except A records:

user@host:~$ dig google.com

; <<>> DiG 9.16.22-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29729
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	216.58.212.174

;; Query time: 105 msec
;; SERVER: 10.137.0.8#53(10.137.0.8)
;; WHEN: Tue Jan 25 19:39:18 UTC 2022
;; MSG SIZE  rcvd: 44

user@host:~$ dig google.com txt

; <<>> DiG 9.16.22-Debian <<>> google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 30453
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: EDNS query returned status NOTIMP - retry with '+noedns'

;; QUESTION SECTION:
;google.com.			IN	TXT

;; Query time: 0 msec
;; SERVER: 10.137.0.8#53(10.137.0.8)
;; WHEN: Tue Jan 25 19:39:22 UTC 2022
;; MSG SIZE  rcvd: 28

Apparently, some DNS server answers the request that does not implement (NOTIMP) anything else than requests for A records.

Any idea what is going on here or how to fix it? I really want to fetch some TXT sections…

icequbes1 · January 26, 2022, 5:45pm

What you’ve experienced is a limitation of the Tor network, which whonix-gw utilizes.

Tor does not support the UDP protocol. DNS by default uses UDP. tor gets around this by having something forward DNS requests to UDP port 53 to tor, translating that request to a “tor-specific” protocol message to a remote endpoint which instructs the endpoint to resolve the hostname, returning the “A” or “AAAA” records. Other query types are not supported and as such tor returns NOTIMP.

To get around this, you can perform dig requests using TCP, as various resolvers support DNS resolution using TCP in addition to UDP. However, you must specify the resolver explicitly.

So instead of:

$ dig google.com txt

You’d use (forcing TCP, and using Cloudflare’s 1.1.1.1 resolver):

$ dig +tcp @1.1.1.1 google.com txt

Ilka · January 26, 2022, 7:37pm

@icequbes1 Thank you very much, that

$ dig +tcp @1.1.1.1 google.com txt

perfectly solves my problem!

I assumed there must be a TOR-specific resolving scheme, so I tried specifying the resolver but you are right, I need the +tcp option.

fya: I also tried Clownflare’s 1.1.1.1 and it works. It sure is ironic that their resolver allows requests from TOR while they are one of the largest TOR antagonists in the world^^