For users of Fedora Core (Red Hat) releases

Jim | 6 Aug 2012 02:19

Picon

resolv.conf ??

F17

How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?

--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Tom Horsley | 6 Aug 2012 02:35

Picon

Re: resolv.conf ??

On Sun, 05 Aug 2012 20:19:19 -0400
Jim wrote:

> F17
> 
> How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by 
> Fedora ?

The (or maybe "an") official way: Change every /etc/sysconfig/network-scripts/ifcfg-*
file to have a line that says "PEERDNS=no" (then shutdown and reboot so it will
actually see the PEERDNS setting, then modify resolv.conf after the reboot cycle).

The unofficial "big hammer" way:

chattr -i /etc/resolv.conf

That makes the file immutable so even root can't change it.
--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Ed Greshko | 6 Aug 2012 02:36

Re: resolv.conf ??

On 08/06/2012 08:19 AM, Jim wrote:
> How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by Fedora ?

Change the IPv4 Settings Method from "Automatic (DHCP)" to "Automatic (DHCP) addresses only" if you use
the GUI.

-- 
Programming today is a race between software engineers striving to build bigger and better idiot-proof
programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. --
Rick Cook, The Wizardry Compiled
--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Bruno Wolff III | 7 Aug 2012 19:22

Picon

Re: resolv.conf ??

On Sun, Aug 05, 2012 at 20:19:19 -0400,
   Jim <binarynut <at> comcast.net> wrote:
>F17
>
>How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by 
>Fedora ?

I run a local caching resolver on most of my machines, and I have found that 
it isn't hard to override the name server and search list while still using 
dchp. It does seem hard to find out how to do this though.

I put the following in /etc/dhcp/dhclient.conf:
supersede domain-name-servers 127.0.0.1;
supersede domain-search "wolff.to";
supersede host-name "laptop";
request subnet-mask,  broadcast-address, routers, interface-mtu;

Then I made sym links from /etc/dhcp/dhclient-wlan0.conf and 
/etc/dhcp/dhclient-em1.conf to /etc/dhcp/dhclient.conf to make the rules 
apply to connections from the em1 and wlan0 interfaces. You might want to 
use eth0 instead of em1 if that's what your interface is named.

Doing this will probably break wifi connections that lock you down until 
you visit their captive web page when you authenticate and/or agree to a 
usage policy.
--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Tim | 7 Aug 2012 20:51

Picon

Re: resolv.conf ??

On Tue, 2012-08-07 at 12:22 -0500, Bruno Wolff III wrote:
> Doing this will probably break wifi connections that lock you down
> until you visit their captive web page when you authenticate and/or
> agree to a usage policy.

And using your ISPs when they implement a similar approach (redirecting
all outgoing requests to their web server on a LAN IP, instead of an
internet IP) for things like authorising exceeding your download limit.

They presume all their clients use their DNS servers, and that their
little trick will work without flaws.

-- 
[tim <at> localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Peter Larsen | 9 Aug 2012 20:52

Re: resolv.conf ??

On Sun, Aug 05, 2012 at 08:19:19PM -0400, Jim wrote:
> F17
> 
> How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by 
> Fedora ?

You need to be a bit more specific. "Fedora" doesn't do anything, a particular package does.
For DHCP client connections (controlled/managed by dhclient) it is ORDERED by the dhcp server
to configure the client in a certain way. That includes nameserver etc.  You can override that
with the dhclient.conf file - where you can specify to ignore certain "orders" or you can tell it 
to add constant definitions you want added in all cases. For instance, you may want to use
your local caching nameserver instead of the one your dhcp server tells you to do - you would do
that by adding "option domain-name-servers <ip addr for your local server>" to the dhclient file
under the correct lease section. It's quite more complex that that - check out the dhclient.conf 
man file and the /usr/share/docs/dhclient*/ sample files.

If you instead use static IP setup, then dhclient is not going to be used. And your /etc/resolv.conf
and other changes that dhclient makes, will not take place. But now you have to do a static
setup either in NetworkManager or the old way in /etc/sysconfig/network-scripts (system-config-network).

Things tends to also go bad if you have multiple networks configured. Ie. your laptop has a
wired network connection and a wireless connection. Both connect using dhcp and if not configured
right, they are two different dhcp servers. In that case, who-ever gets the IP LAST wins when it comes
to /etc/resolv.conf. The solution to this is to either use the same dhcp server (tell the wireless
router to turn off it's dhcp server and don't use it as a router) or you need to use dhclient.conf
and specifically tell it, not to modify /etc/resolv.conf for one of the interfaces. And as you can
figure that means if you only connect the one interface that you're telling it to ignore, well, things
won't really work. For that reason I try to never use multiple interfaces where dhclient is active.

I hope this helps. The simple way is to not use dhcp - but that puts the ownership on you to configure
dns, ip, masks, routing, ntp etc. 

Regards
  Peter Larsen

--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

jdow | 9 Aug 2012 21:29

Picon

Re: resolv.conf ??

On 2012/08/09 11:52, Peter Larsen wrote:
> On Sun, Aug 05, 2012 at 08:19:19PM -0400, Jim wrote:
>> F17
>>
>> How do I LOCK-IN namserver ijn resolv.conf so it cannot be changed by
>> Fedora ?
>
> You need to be a bit more specific. "Fedora" doesn't do anything, a particular package does.
> For DHCP client connections (controlled/managed by dhclient) it is ORDERED by the dhcp server
> to configure the client in a certain way. That includes nameserver etc.  You can override that
> with the dhclient.conf file - where you can specify to ignore certain "orders" or you can tell it
> to add constant definitions you want added in all cases. For instance, you may want to use
> your local caching nameserver instead of the one your dhcp server tells you to do - you would do
> that by adding "option domain-name-servers <ip addr for your local server>" to the dhclient file
> under the correct lease section. It's quite more complex that that - check out the dhclient.conf
> man file and the /usr/share/docs/dhclient*/ sample files.
>
> If you instead use static IP setup, then dhclient is not going to be used. And your /etc/resolv.conf
> and other changes that dhclient makes, will not take place. But now you have to do a static
> setup either in NetworkManager or the old way in /etc/sysconfig/network-scripts (system-config-network).
>
> Things tends to also go bad if you have multiple networks configured. Ie. your laptop has a
> wired network connection and a wireless connection. Both connect using dhcp and if not configured
> right, they are two different dhcp servers. In that case, who-ever gets the IP LAST wins when it comes
> to /etc/resolv.conf. The solution to this is to either use the same dhcp server (tell the wireless
> router to turn off it's dhcp server and don't use it as a router) or you need to use dhclient.conf
> and specifically tell it, not to modify /etc/resolv.conf for one of the interfaces. And as you can
> figure that means if you only connect the one interface that you're telling it to ignore, well, things
> won't really work. For that reason I try to never use multiple interfaces where dhclient is active.
>
> I hope this helps. The simple way is to not use dhcp - but that puts the ownership on you to configure
> dns, ip, masks, routing, ntp etc.
>
> Regards
>    Peter Larsen
>

On the other hand he might be able to modify (or create) 
/etc/dhcpd/dhclient.conf to include "do-forward-updates false" flag. it looks 
like that might accomplish what he's looking for.

{^_^}
--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Bruno Wolff III | 9 Aug 2012 22:25

Picon

Re: resolv.conf ??

On Thu, Aug 09, 2012 at 12:29:18 -0700,
   jdow <jdow <at> earthlink.net> wrote:
>
>On the other hand he might be able to modify (or create) 
>/etc/dhcpd/dhclient.conf to include "do-forward-updates false" flag. 
>it looks like that might accomplish what he's looking for.

Note that in my recent testing I found that NetworkManager does not use 
/etc/dhcpd/dhclient.conf. When it runs dhclient it provides a custom 
config file. But it will include /etc/dhcpd/dhclient-{interface_name}.conf 
in that file.
--

-- 
users mailing list
users <at> lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Return

Return to gmane.linux.redhat.fedora.general.

Advertisement

Project Web Page

For users of Fedora Core (Red Hat) releases

Search Archive

Language

Change language

Options

Current view: Threads only / Showing whole messages / Not hiding cited text.
Change to All messages, shortened messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane