Solved DHCP overwrites local_unbound config

dch

Active Member
Developer

Reaction score: 56
Messages: 141

In certain ISP crappy routers, the locally provided DNS resolver cannot handle DNSSEC and _srv queries, which breaks pkg(8) at bootstrap, along with many other things. As these resolvers are handed out via DHCP from the router, I need to hard-code a specific forwarder and not have DHCP overwrite it.

I'd hoped that this would suffice, but it doesn't survive the DHCP induced breakage

Code:
# /etc/rc.conf.d/local_unbound
local_unbound_enable="YES"
local_unbound_forwarders="8.8.8.8"

reboot, & no luck.

I then updated resolvconf.conf to include that same forwarder, without luck:

Code:
# /etc/resolvconf.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
unbound_conf="/var/unbound/forward.conf"
unbound_pid="/var/run/local_unbound.pid"
unbound_service="local_unbound"
unbound_restart="service local_unbound reload"
# add this nameserver please
append_nameservers="8.8.8.8"

now we reboot:

Code:
# /etc/unbound/forward.conf
# Generated by resolvconf

forward-zone:
   name: "."
   forward-addr: 192.168.64.1

Any ideas?
 
Last edited by a moderator:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,768
Messages: 39,378

Create /etc/dhclient-enter-hooks:
Code:
add_new_resolv_conf() {
        return 0
}
This will prevent dhclient(8) from ever touching /etc/resolv.conf.
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

You can also do a /etc/dhclient.conf with something along the lines of the below:
Code:
interface "em0"
{
  supersede domain-name-servers 127.0.0.1;
}
 
OP
dch

dch

Active Member
Developer

Reaction score: 56
Messages: 141

I was travelling the last week and had ample opportunity to test this while roaming across networks and tethering as well. I ended up using only this, and leaving the hook alone:

Code:
# /etc/dhclient.conf
prepend domain-name-servers 4.2.2.2;

which ensures that local_unbound has both the DHCP-provided DNS servers, to look up e.g. .local and other provided domains, and a DNSSEC capable upstream for pkg and other proper DNS tools that expect a verifiable chain to the DNS root. I'll find a less privacy-invading option later but 4.2.2.2 and 8.8.8.8 are easy to remember ;-)
 
Top