F17
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
On Sun, 05 Aug 2012 20:19:19 -0400 Jim wrote:
F17
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
The (or maybe "an") official way: Change every /etc/sysconfig/network-scripts/ifcfg-* file to have a line that says "PEERDNS=no" (then shutdown and reboot so it will actually see the PEERDNS setting, then modify resolv.conf after the reboot cycle).
The unofficial "big hammer" way:
chattr -i /etc/resolv.conf
That makes the file immutable so even root can't change it.
On 08/06/2012 08:19 AM, Jim wrote:
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
Change the IPv4 Settings Method from "Automatic (DHCP)" to "Automatic (DHCP) addresses only" if you use the GUI.
On Sun, Aug 05, 2012 at 20:19:19 -0400, Jim binarynut@comcast.net wrote:
F17
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
I run a local caching resolver on most of my machines, and I have found that it isn't hard to override the name server and search list while still using dchp. It does seem hard to find out how to do this though.
I put the following in /etc/dhcp/dhclient.conf: supersede domain-name-servers 127.0.0.1; supersede domain-search "wolff.to"; supersede host-name "laptop"; request subnet-mask, broadcast-address, routers, interface-mtu;
Then I made sym links from /etc/dhcp/dhclient-wlan0.conf and /etc/dhcp/dhclient-em1.conf to /etc/dhcp/dhclient.conf to make the rules apply to connections from the em1 and wlan0 interfaces. You might want to use eth0 instead of em1 if that's what your interface is named.
Doing this will probably break wifi connections that lock you down until you visit their captive web page when you authenticate and/or agree to a usage policy.
On Tue, 2012-08-07 at 12:22 -0500, Bruno Wolff III wrote:
Doing this will probably break wifi connections that lock you down until you visit their captive web page when you authenticate and/or agree to a usage policy.
And using your ISPs when they implement a similar approach (redirecting all outgoing requests to their web server on a LAN IP, instead of an internet IP) for things like authorising exceeding your download limit.
They presume all their clients use their DNS servers, and that their little trick will work without flaws.
On Sun, Aug 05, 2012 at 08:19:19PM -0400, Jim wrote:
F17
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
You need to be a bit more specific. "Fedora" doesn't do anything, a particular package does. For DHCP client connections (controlled/managed by dhclient) it is ORDERED by the dhcp server to configure the client in a certain way. That includes nameserver etc. You can override that with the dhclient.conf file - where you can specify to ignore certain "orders" or you can tell it to add constant definitions you want added in all cases. For instance, you may want to use your local caching nameserver instead of the one your dhcp server tells you to do - you would do that by adding "option domain-name-servers <ip addr for your local server>" to the dhclient file under the correct lease section. It's quite more complex that that - check out the dhclient.conf man file and the /usr/share/docs/dhclient*/ sample files.
If you instead use static IP setup, then dhclient is not going to be used. And your /etc/resolv.conf and other changes that dhclient makes, will not take place. But now you have to do a static setup either in NetworkManager or the old way in /etc/sysconfig/network-scripts (system-config-network).
Things tends to also go bad if you have multiple networks configured. Ie. your laptop has a wired network connection and a wireless connection. Both connect using dhcp and if not configured right, they are two different dhcp servers. In that case, who-ever gets the IP LAST wins when it comes to /etc/resolv.conf. The solution to this is to either use the same dhcp server (tell the wireless router to turn off it's dhcp server and don't use it as a router) or you need to use dhclient.conf and specifically tell it, not to modify /etc/resolv.conf for one of the interfaces. And as you can figure that means if you only connect the one interface that you're telling it to ignore, well, things won't really work. For that reason I try to never use multiple interfaces where dhclient is active.
I hope this helps. The simple way is to not use dhcp - but that puts the ownership on you to configure dns, ip, masks, routing, ntp etc.
Regards Peter Larsen
On 2012/08/09 11:52, Peter Larsen wrote:
On Sun, Aug 05, 2012 at 08:19:19PM -0400, Jim wrote:
F17
How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?
You need to be a bit more specific. "Fedora" doesn't do anything, a particular package does. For DHCP client connections (controlled/managed by dhclient) it is ORDERED by the dhcp server to configure the client in a certain way. That includes nameserver etc. You can override that with the dhclient.conf file - where you can specify to ignore certain "orders" or you can tell it to add constant definitions you want added in all cases. For instance, you may want to use your local caching nameserver instead of the one your dhcp server tells you to do - you would do that by adding "option domain-name-servers <ip addr for your local server>" to the dhclient file under the correct lease section. It's quite more complex that that - check out the dhclient.conf man file and the /usr/share/docs/dhclient*/ sample files.
If you instead use static IP setup, then dhclient is not going to be used. And your /etc/resolv.conf and other changes that dhclient makes, will not take place. But now you have to do a static setup either in NetworkManager or the old way in /etc/sysconfig/network-scripts (system-config-network).
Things tends to also go bad if you have multiple networks configured. Ie. your laptop has a wired network connection and a wireless connection. Both connect using dhcp and if not configured right, they are two different dhcp servers. In that case, who-ever gets the IP LAST wins when it comes to /etc/resolv.conf. The solution to this is to either use the same dhcp server (tell the wireless router to turn off it's dhcp server and don't use it as a router) or you need to use dhclient.conf and specifically tell it, not to modify /etc/resolv.conf for one of the interfaces. And as you can figure that means if you only connect the one interface that you're telling it to ignore, well, things won't really work. For that reason I try to never use multiple interfaces where dhclient is active.
I hope this helps. The simple way is to not use dhcp - but that puts the ownership on you to configure dns, ip, masks, routing, ntp etc.
Regards Peter Larsen
On the other hand he might be able to modify (or create) /etc/dhcpd/dhclient.conf to include "do-forward-updates false" flag. it looks like that might accomplish what he's looking for.
{^_^}
On Thu, Aug 09, 2012 at 12:29:18 -0700, jdow jdow@earthlink.net wrote:
On the other hand he might be able to modify (or create) /etc/dhcpd/dhclient.conf to include "do-forward-updates false" flag. it looks like that might accomplish what he's looking for.
Note that in my recent testing I found that NetworkManager does not use /etc/dhcpd/dhclient.conf. When it runs dhclient it provides a custom config file. But it will include /etc/dhcpd/dhclient-{interface_name}.conf in that file.
-
Bruno Wolff III -
Ed Greshko -
jdow -
Mickey -
Peter Larsen -
Tim -
Tom Horsley