forbid dhclient changing resolv.conf

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,126
Messages: 35,605

Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}


That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
 

tzoi516

Well-Known Member

Reaction score: 12
Messages: 368

Re:

SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}


That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
 

wblock@

Beastie Himself
Developer

Reaction score: 3,706
Messages: 13,851

Only if the DHCP server is handing out the wrong DNS server addresses.
 

tzoi516

Well-Known Member

Reaction score: 12
Messages: 368

The DHCP server is passing the ISP server addresses, which are fine for most workstations on the network. However, for a couple laptops, security-wise, I need to keep them static.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,126
Messages: 35,605

Yes, you still need it on FreeBSD 10.0. There are no changes in this respect with the previous versions.
 

tzoi516

Well-Known Member

Reaction score: 12
Messages: 368

Re: Re:

tzoi516 said:
SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}


That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
Would this be a better solution?
Code:
chflags schg /etc/resolv.conf
 

jrm@

Daemon
Developer

Reaction score: 486
Messages: 1,215

Another option is to tell dhclient what not to mess with in /etc/resolve.conf by putting something like this in /etc/dhclient.conf
Code:
supersede domain-name-servers 127.0.0.1;
supersede domain-name "mydomain.org";
 

kpa

Beastie's Twin

Reaction score: 1,833
Messages: 6,318

Re: Re:

tzoi516 said:
tzoi516 said:
SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}


That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
Would this be a better solution?
Code:
chflags schg /etc/resolv.conf

No, the configuration file is there to be edited. Use it.
 

tzoi516

Well-Known Member

Reaction score: 12
Messages: 368

I got the idea from the BSD Now DNS Crypt tutorial, and that was done. Thought it would apply to this as well.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,706
Messages: 13,851

That's what I used to do. It still seems simpler to me than adding the dhclient() function. Usage depends on context, though.
 

ericx

Member

Reaction score: 6
Messages: 47

OS: FreeBSD 10.0-RELEASE-p5

I've implemented a replacement add_new_resolv_conf() within /etc/dhclient-enter-hooks as follows:

Code:
$LOGGER "Loading dhclient-enter-hooks"

add_new_resolv_conf() {
    # We don't want /etc/resolv.conf changed
    # So this is an empty function
    $LOGGER "Running blank add_new_resolv_conf() from dhclient-enter-hooks"
    return 0
}


What's frustrating is that while the first $LOGGER statement always appears in /var/log/daemon; the second does NOT appear upon reboot (and resolv.conf is trashed). That is to say: this hack works if you initiate dhclient by hand as root on a working command line; but it fails during boot.

Anyone with good boot-fu able to explain why dhclient-script will load the dhclient-enter-hooks file during boot but not, in fact, actually read/implement the replacement version of add_new_resolv_conf()?

Thank you for your time.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,126
Messages: 35,605

The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
Code:
     Before taking action according to $reason, dhclient-script will check for
     the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
     (see sh(1)).  After taking action according to $reason, dhclient-script
     will check for the existence of /etc/dhclient-exit-hooks.  If found, it
     will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
     cally modify the environment at appropriate times during the DHCP negoti-
     ations.
 

ljboiler

Well-Known Member

Reaction score: 157
Messages: 434

You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
Code:
resolvconf_enable=no
in /etc/rc.conf.

Just a thought...
 

ericx

Member

Reaction score: 6
Messages: 47

SirDice said:
The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
Code:
     Before taking action according to $reason, dhclient-script will check for
     the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
     (see sh(1)).  After taking action according to $reason, dhclient-script
     will check for the existence of /etc/dhclient-exit-hooks.  If found, it
     will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
     cally modify the environment at appropriate times during the DHCP negoti-
     ations.

That's what I find so fascinating and confusing. From my console.log during boot:

Code:
Jul 23 20:23:54 <console.info> milicent kernel: nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Jul 23 20:23:54 <console.info> milicent kernel: Configuring keyboard: keymap.
Jul 23 20:23:54 <console.info> milicent kernel: Starting dhclient.
Jul 23 20:23:54 <console.info> milicent kernel: dhclient: Loading dhclient-enter-hooks
Jul 23 20:23:54 <console.info> milicent kernel: Starting ums0 moused.
Jul 23 20:23:54 <console.info> milicent kernel: add net fe80::: gateway ::1
Jul 23 20:23:54 <console.info> milicent kernel: add net ff02::: gateway ::1


syslogd isn't running yet; so there is no corresponding entry in /var/log/user. You can see the one log entry written as dhclient-enter-hooks is sourced; but there is no subsequent log entry from within the replacement version of add_new_resolv_conf(); and /etc/resolv.conf is overwritten.

Any time after boot, either regular lease renewal or manual stop/start of dhclient, dhclient-enter-hooks is sourced, the replacement version of add_new_resolv_conf() is run, two log entries appear on the console, and /etc/resolv.conf remains untouched.

Code:
Jul 23 21:23:51 <user.notice> milicent dhclient: Loading dhclient-enter-hooks
Jul 23 21:23:51 <user.notice> milicent dhclient: Running blank add_new_resolv_conf() from dhclient-enter-hooks


/etc/resolv.conf is only overwritten during boot. [cut to Rod Serling smoking a cigarette]
 

ericx

Member

Reaction score: 6
Messages: 47

ljboiler said:
You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
Code:
resolvconf_enable=no
in /etc/rc.conf.

Just a thought...

Thanks. None of the above.

There is no
Code:
resolvconf_enable=no
in /etc/defaults/rc.conf; so I was unaware of that flag. I will grep around and see what it does.
 
Top