Incomplete DNS answers in sys-whonix

DNS resolution (e.g. with dig) works fine in the VMs connected to the internet directly via sys-firewall but in VMs connected to sys-whonix, I can not request any DNS entries except A records:

user@host:~$ dig

; <<>> DiG 9.16.22-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29729
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A


;; Query time: 105 msec
;; WHEN: Tue Jan 25 19:39:18 UTC 2022
;; MSG SIZE  rcvd: 44

user@host:~$ dig txt

; <<>> DiG 9.16.22-Debian <<>> txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 30453
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: EDNS query returned status NOTIMP - retry with '+noedns'

;			IN	TXT

;; Query time: 0 msec
;; WHEN: Tue Jan 25 19:39:22 UTC 2022
;; MSG SIZE  rcvd: 28

Apparently, some DNS server answers the request that does not implement (NOTIMP) anything else than requests for A records.

Any idea what is going on here or how to fix it? I really want to fetch some TXT sections…

What you’ve experienced is a limitation of the Tor network, which whonix-gw utilizes.

Tor does not support the UDP protocol. DNS by default uses UDP. tor gets around this by having something forward DNS requests to UDP port 53 to tor, translating that request to a “tor-specific” protocol message to a remote endpoint which instructs the endpoint to resolve the hostname, returning the “A” or “AAAA” records. Other query types are not supported and as such tor returns NOTIMP.

To get around this, you can perform dig requests using TCP, as various resolvers support DNS resolution using TCP in addition to UDP. However, you must specify the resolver explicitly.

So instead of:

$ dig txt

You’d use (forcing TCP, and using Cloudflare’s resolver):

$ dig +tcp @ txt

@icequbes1 Thank you very much, that

$ dig +tcp @ txt

perfectly solves my problem!

I assumed there must be a TOR-specific resolving scheme, so I tried specifying the resolver but you are right, I need the +tcp option.

fya: I also tried Clownflare’s and it works. It sure is ironic that their resolver allows requests from TOR while they are one of the largest TOR antagonists in the world^^