Differences between revisions 4 and 5
Revision 4 as of 2017-10-27 14:59:32
Size: 3306
Comment: Additional documented options for preventing changes to /etc/resolv.conf
Revision 5 as of 2017-10-27 15:42:31
Size: 5310
Editor: GregWooledge
Comment: clean up, expand
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
There are several approaches to configuring the system so that /etc/resolv.conf is set by the administrator and not changed by automated means. This page documents some of the options. Ordinarily, the [[DebianMan:resolv.conf.5|resolv.conf(5)]] file is managed dynamically by various network service daemons. This is the default, and is intended for laptops and other highly mobile systems which may connect to different networks. It also works well for many desktop and server systems, so long as the network infrastructure is perfect.

For some systems, on some networks, the system administrator may wish to configure '''/etc/resolv.conf''' by hand. This leads to a conflict between the administrator's changes, and the dynamic changes performed by the network service daemons.

If you edit `resolv.conf` by hand, and need to stop daemons from overwriting your changes, this page documents some of your options.
Line 8: Line 12:
The most common daemon which overwrites `resolv.conf` is [[DebianMan:dhclient.8|dhclient(8)]] (from DebianPkg:isc-dhcp-client). In many cases, simply stopping this ''one'' daemon from touching the file will suffice.
Line 10: Line 16:
With the [[https://packages.debian.org/isc-dhcp-client|isc-dhcp-client]] package, the /etc/dhcp/dhclient.conf file can be populated with directives that will override the options sent by the DHCP server. For example, these directives will override the domain, search, and nameserver parameters that are placed into /etc/resolv.conf: The '''/etc/dhcp/dhclient.conf''' file can be populated with directives that will override the options sent by the DHCP server. For example, these directives will override the domain, search, and nameserver parameters that are placed into `/etc/resolv.conf`:
Line 18: Line 24:
Another option is to remove "domain-name, domain-name-servers, domain-search" from the request line.

The same applies for the other directives. dhclient.conf(5) lists all of the available options and their meanings.
Another option is to remove "domain-name, domain-name-servers, domain-search" from the request line. However, this only works on '''some''' networks, and not on others. If the DHCP server sends unsolicited domain-name-servers (et al.) responses, dhclient will still heed them, and will still overwrite the `resolv.conf` file.
Line 24: Line 28:
Another approach makes use of dhclient-script's hook scripts. According to dhclient-script(8): Another approach makes use of dhclient-script's hook scripts. According to [[DebianMan:dhclient-script.8|dhclient-script(8)]]:

 . When it starts, the client script first defines a shell function, make_resolv_conf , which is later used to create the /etc/resolv.conf file. To override the default behaviour, redefine this function in the enter hook script.

Therefore, we can stop dhclient from overwriting `resolv.conf` by doing the following:
Line 27: Line 35:
       When it starts, the client script first defines a shell function, make_resolv_conf , which is later used to
       create the /etc/resolv.conf file. To override the default behaviour, redefine this function in the enter
       hook script.
echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
Line 31: Line 38:

The execute bit is required because dhclient-script uses [[DebianMan:run-parts.8|run-parts(8)]] to decide which files to read. For that same reason, the filename ''must not'' contain anything but letters, digits, underscores and hyphens.
Line 34: Line 43:
There are also options involving the resolvconf package itself. If you are familiar with how those options can be used to prevent unwanted changes to /etc/resolv.conf, then please contribute here. The DebianPkg:resolvconf package may be installed. When it is, it includes various configuration files for other package (such as DebianPkg:isc-dhcp-client). Specifically, resolvconf includes a file which modifies the `make_resolv_conf` shell function used by [[DebianMan:dhclient-script.8|dhclient-script(8)]].

With resolvconf installed, you can tell it to ''do nothing'' whenever some daemon tries to modify `resolv.conf`, by putting '''resolvconf=NO''' in the '''/etc/resolvconf.conf''' file. (Note: this is ''not'' the `/etc/resolv.conf` file!)
Line 38: Line 49:
This approach will render /etc/resolv.conf immutable so that it cannot be changed, regardless of what packages are installed or what tries to modify it. This approach will render `/etc/resolv.conf` immutable so that it cannot be changed, regardless of what packages are installed or what tries to modify it.
Line 40: Line 51:
----
/!\ The nameserver IP 8.8.4.4 is a DNS server from Google. If you don't trust or want to use another, insert an other ip there.
{{{
rm -f /etc/resolv.conf
editor /etc/resolv.conf
chattr +i /etc/resolv.conf
}}}
Line 43: Line 57:
This page describes how to lock your /etc/resolv.conf Obviously, you will need to put the appropriate content into the file ''before'' setting the immutable bit. Any time you wish to change the file, you will have to remove the bit, make your change, and then restore the bit.
Line 45: Line 59:
== /etc/resolv.conf == A consequence of making `/etc/resolv.conf` immutable is that if dhclient-script tries to change it and fails, it clutters /etc with temporary files. See DebianBug:860928 for details. The user/admin may need to periodically clean these files out of `/etc` until #860928 is fixed.
Line 72: Line 86:
A consequence of making /etc/resolv.conf immutable is that if dhclient-script tries to change it and fails, it clutters /etc with temporary files. See [[https://bugs.debian.org/860928|#860928]] for details. The user/admin may need to periodically clean these files out of /etc until #860928 is fixed. /!\ 8.8.4.4 is one of Google's [[https://developers.google.com/speed/public-dns/docs/using|public DNS resolvers]]. Use of this resolver will allow Google to track your name lookups. If this is a concern, consider running your own private resolver.

Translation(s): none

Ordinarily, the resolv.conf(5) file is managed dynamically by various network service daemons. This is the default, and is intended for laptops and other highly mobile systems which may connect to different networks. It also works well for many desktop and server systems, so long as the network infrastructure is perfect.

For some systems, on some networks, the system administrator may wish to configure /etc/resolv.conf by hand. This leads to a conflict between the administrator's changes, and the dynamic changes performed by the network service daemons.

If you edit resolv.conf by hand, and need to stop daemons from overwriting your changes, this page documents some of your options.

Configuring dhclient

The most common daemon which overwrites resolv.conf is dhclient(8) (from isc-dhcp-client). In many cases, simply stopping this one daemon from touching the file will suffice.

Modifying /etc/dhcp/dhclient.conf

The /etc/dhcp/dhclient.conf file can be populated with directives that will override the options sent by the DHCP server. For example, these directives will override the domain, search, and nameserver parameters that are placed into /etc/resolv.conf:

supersede domain-name "example.com";
supersede domain-search "example.com";
supersede domain-name-servers 127.0.0.1;

Another option is to remove "domain-name, domain-name-servers, domain-search" from the request line. However, this only works on some networks, and not on others. If the DHCP server sends unsolicited domain-name-servers (et al.) responses, dhclient will still heed them, and will still overwrite the resolv.conf file.

Using hook scripts

Another approach makes use of dhclient-script's hook scripts. According to dhclient-script(8):

  • When it starts, the client script first defines a shell function, make_resolv_conf , which is later used to create the /etc/resolv.conf file. To override the default behaviour, redefine this function in the enter hook script.

Therefore, we can stop dhclient from overwriting resolv.conf by doing the following:

echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone

The execute bit is required because dhclient-script uses run-parts(8) to decide which files to read. For that same reason, the filename must not contain anything but letters, digits, underscores and hyphens.

Configuring resolvconf

The resolvconf package may be installed. When it is, it includes various configuration files for other package (such as isc-dhcp-client). Specifically, resolvconf includes a file which modifies the make_resolv_conf shell function used by dhclient-script(8).

With resolvconf installed, you can tell it to do nothing whenever some daemon tries to modify resolv.conf, by putting resolvconf=NO in the /etc/resolvconf.conf file. (Note: this is not the /etc/resolv.conf file!)

Making /etc/resolv.conf immutable

This approach will render /etc/resolv.conf immutable so that it cannot be changed, regardless of what packages are installed or what tries to modify it.

rm -f /etc/resolv.conf
editor /etc/resolv.conf
chattr +i /etc/resolv.conf

Obviously, you will need to put the appropriate content into the file before setting the immutable bit. Any time you wish to change the file, you will have to remove the bit, make your change, and then restore the bit.

A consequence of making /etc/resolv.conf immutable is that if dhclient-script tries to change it and fails, it clutters /etc with temporary files. See 860928 for details. The user/admin may need to periodically clean these files out of /etc until #860928 is fixed.

my issues

my internet connection seems not to work. i could figured out, that it affects only dns. so my first workaround was

sh -c 'echo "nameserver 8.8.4.4" > /etc/resolv.conf'

but the networks I'm connected with didn't like my choice of nameserver. so they overwrites the resolv.conf many times.

the way forward

to get permanent peace a mention from #debian.de/freenode.org was to use chattr +i - and I start to go.

the ultimate order

rm /var/run/NetworkManager/resolv.conf  && rm /etc/resolv.conf && sh -c 'echo "nameserver 8.8.4.4" > /etc/resolv.conf' && cat /etc/resolv.conf &&  chattr -V +i /etc/resolv.conf

/var/run/NetworkManager/resolv.conf is an auto-generated symlink (I don't know which program it does)

the 'cat' order ist to generate output and control if it works.

same for the -V at the chattr order

/!\ 8.8.4.4 is one of Google's public DNS resolvers. Use of this resolver will allow Google to track your name lookups. If this is a concern, consider running your own private resolver.


CategoryNetwork