Tor does not support UDP so we cannot simply redirect DNS queries to the Tor transparent proxy.

Most DNS leaks are avoided by having the system resolver query the Tor network using the DNSPort configured in torrc.

There is a concern that any application could attempt to do its own DNS resolution without using the system resolver; UDP datagrams are therefore blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward outgoing UDP datagrams to the local DNS proxy.

Tails also forbids DNS queries to RFC1918 addresses; those might indeed allow the system to learn the local network's public IP address.

An exception to the above DNS configuration is the clearnet user used to run the Unsafe Browser, which uses the DNS server provided for DHCP for resolving.

resolv.conf is configured to point to the Tor DNS resolver, and NetworkManager and dhclient are configured not to manage resolv.conf at all: