1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

forbid dhclient changing resolv.conf

Discussion in 'General' started by nekoexmachina, Jun 21, 2010.

  1. nekoexmachina

    nekoexmachina New Member

    Messages:
    312
    Likes Received:
    0
    How do i forbid resolv.conf change by dhclient on boot?
     
  2. anomie

    anomie New Member

    Messages:
    783
    Likes Received:
    0
    You can deduce the needed options from dhclient.conf(5) (and its related documentation), or you can make resolv.conf system immutable using chflags(1). ;)
     
  3. nekoexmachina

    nekoexmachina New Member

    Messages:
    312
    Likes Received:
    0
    Thank you. Solved.
     
  4. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    Create a file called /etc/dhclient-enter-hooks and add this:
    Code:
    add_new_resolv_conf() {
            # We don't want /etc/resolv.conf changed
            # So this is an empty function
            return 0
    }
    
    That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
     
  5. tzoi516

    tzoi516 Member

    Messages:
    366
    Likes Received:
    0
    Re:

    Is this still necessary with FreeBSD 10?
     
  6. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,167
    Likes Received:
    7
    Only if the DHCP server is handing out the wrong DNS server addresses.
     
  7. tzoi516

    tzoi516 Member

    Messages:
    366
    Likes Received:
    0
    The DHCP server is passing the ISP server addresses, which are fine for most workstations on the network. However, for a couple laptops, security-wise, I need to keep them static.
     
  8. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    Yes, you still need it on FreeBSD 10.0. There are no changes in this respect with the previous versions.
     
  9. tzoi516

    tzoi516 Member

    Messages:
    366
    Likes Received:
    0
    Re: Re:

    Would this be a better solution?
    Code:
    chflags schg /etc/resolv.conf
     
  10. jrm

    jrm Member

    Messages:
    778
    Likes Received:
    0
    Another option is to tell dhclient what not to mess with in /etc/resolve.conf by putting something like this in /etc/dhclient.conf
    Code:
    supersede domain-name-servers 127.0.0.1;
    supersede domain-name "mydomain.org";
    
     
  11. kpa

    kpa Member

    Messages:
    3,993
    Likes Received:
    5
    Re: Re:

    No, the configuration file is there to be edited. Use it.
     
  12. tzoi516

    tzoi516 Member

    Messages:
    366
    Likes Received:
    0
    I got the idea from the BSD Now DNS Crypt tutorial, and that was done. Thought it would apply to this as well.
     
  13. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,167
    Likes Received:
    7
    That's what I used to do. It still seems simpler to me than adding the dhclient() function. Usage depends on context, though.
     
  14. ericx

    ericx New Member

    Messages:
    15
    Likes Received:
    0
    OS: FreeBSD 10.0-RELEASE-p5

    I've implemented a replacement add_new_resolv_conf() within /etc/dhclient-enter-hooks as follows:

    Code:
    $LOGGER "Loading dhclient-enter-hooks"
    
    add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        $LOGGER "Running blank add_new_resolv_conf() from dhclient-enter-hooks"
        return 0
    }
    
    What's frustrating is that while the first $LOGGER statement always appears in /var/log/daemon; the second does NOT appear upon reboot (and resolv.conf is trashed). That is to say: this hack works if you initiate dhclient by hand as root on a working command line; but it fails during boot.

    Anyone with good boot-fu able to explain why dhclient-script will load the dhclient-enter-hooks file during boot but not, in fact, actually read/implement the replacement version of add_new_resolv_conf()?

    Thank you for your time.
     
  15. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
    Code:
         Before taking action according to $reason, dhclient-script will check for
         the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
         (see sh(1)).  After taking action according to $reason, dhclient-script
         will check for the existence of /etc/dhclient-exit-hooks.  If found, it
         will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
         cally modify the environment at appropriate times during the DHCP negoti-
         ations.
     
  16. ljboiler

    ljboiler Member

    Messages:
    151
    Likes Received:
    0
    You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
    Code:
    resolvconf_enable=no
    in /etc/rc.conf.

    Just a thought...
     
  17. ericx

    ericx New Member

    Messages:
    15
    Likes Received:
    0
    That's what I find so fascinating and confusing. From my console.log during boot:

    Code:
    Jul 23 20:23:54 <console.info> milicent kernel: nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Jul 23 20:23:54 <console.info> milicent kernel: Configuring keyboard: keymap.
    Jul 23 20:23:54 <console.info> milicent kernel: Starting dhclient.
    Jul 23 20:23:54 <console.info> milicent kernel: dhclient: Loading dhclient-enter-hooks
    Jul 23 20:23:54 <console.info> milicent kernel: Starting ums0 moused.
    Jul 23 20:23:54 <console.info> milicent kernel: add net fe80::: gateway ::1
    Jul 23 20:23:54 <console.info> milicent kernel: add net ff02::: gateway ::1
    
    syslogd isn't running yet; so there is no corresponding entry in /var/log/user. You can see the one log entry written as dhclient-enter-hooks is sourced; but there is no subsequent log entry from within the replacement version of add_new_resolv_conf(); and /etc/resolv.conf is overwritten.

    Any time after boot, either regular lease renewal or manual stop/start of dhclient, dhclient-enter-hooks is sourced, the replacement version of add_new_resolv_conf() is run, two log entries appear on the console, and /etc/resolv.conf remains untouched.

    Code:
    Jul 23 21:23:51 <user.notice> milicent dhclient: Loading dhclient-enter-hooks
    Jul 23 21:23:51 <user.notice> milicent dhclient: Running blank add_new_resolv_conf() from dhclient-enter-hooks
    
    /etc/resolv.conf is only overwritten during boot. [cut to Rod Serling smoking a cigarette]
     
  18. ericx

    ericx New Member

    Messages:
    15
    Likes Received:
    0
    Thanks. None of the above.

    There is no
    Code:
    resolvconf_enable=no
    in /etc/defaults/rc.conf; so I was unaware of that flag. I will grep around and see what it does.