Usually, when setting a (non-whonix) AppVM to use sys-whonix as its netvm, it is also necessary to change the nameservers in /etc/resolv.conf from the default Qubes ones (10.139.1.1 and 10.139.1.2), to the IP of your sys-whonix. Otherwise, for example opening any website in Firefox will (eventually) start to fail, due to broken DNS resolution.
However, when setting sys-cacher to use sys-whonix as its netvm, this doesn’t seem to be necessary. APT will continue to resolve just fine the domain names of its repos. Can someone please explain why? I figured the discussion might help me to understand some networking/security aspects a bit better.
It’s not necessary to change the DNS. At least I didn’t encounter this.
It definitely should not be required.
Whonix should handle DNS requests without further configuration.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Maybe you didn’t use an AppVM with sys-whonix long enough for the DNS cache to clear. In my experience, once that happens, further DNS resolutions will fail, unless you change your /etc/resolv.conf to the IP of sys-whonix.
I can reproduce this easily.
- Create new AppVM from a normal template (not from whonix workstation). Choose one that has a web browser installed
- Confirm in the AppVM that the contents of
/etc/resolv.confare the standard Qubes ones. - Set the AppVM to use sys-whonix as its netvm
- Open various domain names in the browser. DNS resolution will fail.
Does Whonix run a DNS cache?
All that’s required is to forward DNS traffic through Tor network.
I couldnt find anything in the Whonix docs on this.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
It works fine for me with app qube based on debian-12-xfce template connected to sys-whonix.
But I didn’t reinstall the whonix-gateway-17 template in a long time, maybe there was some change in the template that wasn’t present in a normal system update.
I’ll try to reinstall the whonix-gateway-17 template and try again when I have the opportunity.
Just to be clear, you are saying you’ve followed the steps I described and couldn’t reproduce this? For the record, I have been using Firefox as the web browser; maybe other browsers use a different DNS mechanism.
I’ve been able to reproduce this with minimally modified templates. If others can’t reproduce it, then I guess I should ask for help troubleshooting what is causing this on my system.
Just to be clear, I did not say any such thing. I dont use Whonix, so I
cant follow your steps.
But I did say that I cant find anything on this in the Whonix docs - not
do I remember seeing comment on this before - surprising if it is a common problem.
Generally Whonix questions should be directed to the Whonix Forum (this
is at Patrick’s request.)
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
sys-whonix intercepts all UDP port 53 traffic and redirects it to the tor daemon’s DNSPort. The destination IP address doesn’t matter.
Works for me.
Although it’s not unusual to occasionally get a crummy Tor circuit, causing DNS resolution to fail. In that case, try sending the NEWNYM signal to the tor daemon (e.g. using the New Identity button in the sys-whonix Tor control panel)