Tor does not support UDP so we cannot simply redirect DNS queries to the Tor transparent proxy.

Most DNS leaks are avoided by having the system resolver query the Tor network using the DNSPort configured in torrc.

There is a concern that any application could attempt to do its own DNS resolution without using the system resolver; UDP datagrams are therefore blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward outgoing UDP datagrams to the local DNS proxy.

Tails also forbids DNS queries to RFC1918 addresses; those might indeed allow the system to learn the local network's public IP address.

resolv.conf is configured to point to the Tor DNS resolver, and we configure NetworkManager not to manage resolv.conf at all:

Some applications need to be able to do clearnet DNS resolutions, so we save the DNS configuration obtained by NetworkManager:

The following is the complete list of the applications allowed to use the clearnet DNS configuration: