forbid dhclient changing resolv.conf

Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
 
Re:

SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
 
The DHCP server is passing the ISP server addresses, which are fine for most workstations on the network. However, for a couple laptops, security-wise, I need to keep them static.
 
Yes, you still need it on FreeBSD 10.0. There are no changes in this respect with the previous versions.
 
Re: Re:

tzoi516 said:
SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
Would this be a better solution?
Code:
chflags schg /etc/resolv.conf
 
Another option is to tell dhclient what not to mess with in /etc/resolve.conf by putting something like this in /etc/dhclient.conf
Code:
supersede domain-name-servers 127.0.0.1;
supersede domain-name "mydomain.org";
 
Re: Re:

tzoi516 said:
tzoi516 said:
SirDice said:
Create a file called /etc/dhclient-enter-hooks and add this:
Code:
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.
Is this still necessary with FreeBSD 10?
Would this be a better solution?
Code:
chflags schg /etc/resolv.conf

No, the configuration file is there to be edited. Use it.
 
I got the idea from the BSD Now DNS Crypt tutorial, and that was done. Thought it would apply to this as well.
 
OS: FreeBSD 10.0-RELEASE-p5

I've implemented a replacement add_new_resolv_conf() within /etc/dhclient-enter-hooks as follows:

Code:
$LOGGER "Loading dhclient-enter-hooks"

add_new_resolv_conf() {
    # We don't want /etc/resolv.conf changed
    # So this is an empty function
    $LOGGER "Running blank add_new_resolv_conf() from dhclient-enter-hooks"
    return 0
}

What's frustrating is that while the first $LOGGER statement always appears in /var/log/daemon; the second does NOT appear upon reboot (and resolv.conf is trashed). That is to say: this hack works if you initiate dhclient by hand as root on a working command line; but it fails during boot.

Anyone with good boot-fu able to explain why dhclient-script will load the dhclient-enter-hooks file during boot but not, in fact, actually read/implement the replacement version of add_new_resolv_conf()?

Thank you for your time.
 
The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
Code:
     Before taking action according to $reason, dhclient-script will check for
     the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
     (see sh(1)).  After taking action according to $reason, dhclient-script
     will check for the existence of /etc/dhclient-exit-hooks.  If found, it
     will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
     cally modify the environment at appropriate times during the DHCP negoti-
     ations.
 
You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
Code:
resolvconf_enable=no
in /etc/rc.conf.

Just a thought...
 
SirDice said:
The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
Code:
     Before taking action according to $reason, dhclient-script will check for
     the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
     (see sh(1)).  After taking action according to $reason, dhclient-script
     will check for the existence of /etc/dhclient-exit-hooks.  If found, it
     will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
     cally modify the environment at appropriate times during the DHCP negoti-
     ations.

That's what I find so fascinating and confusing. From my console.log during boot:

Code:
Jul 23 20:23:54 <console.info> milicent kernel: nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Jul 23 20:23:54 <console.info> milicent kernel: Configuring keyboard: keymap.
Jul 23 20:23:54 <console.info> milicent kernel: Starting dhclient.
Jul 23 20:23:54 <console.info> milicent kernel: dhclient: Loading dhclient-enter-hooks
Jul 23 20:23:54 <console.info> milicent kernel: Starting ums0 moused.
Jul 23 20:23:54 <console.info> milicent kernel: add net fe80::: gateway ::1
Jul 23 20:23:54 <console.info> milicent kernel: add net ff02::: gateway ::1

syslogd isn't running yet; so there is no corresponding entry in /var/log/user. You can see the one log entry written as dhclient-enter-hooks is sourced; but there is no subsequent log entry from within the replacement version of add_new_resolv_conf(); and /etc/resolv.conf is overwritten.

Any time after boot, either regular lease renewal or manual stop/start of dhclient, dhclient-enter-hooks is sourced, the replacement version of add_new_resolv_conf() is run, two log entries appear on the console, and /etc/resolv.conf remains untouched.

Code:
Jul 23 21:23:51 <user.notice> milicent dhclient: Loading dhclient-enter-hooks
Jul 23 21:23:51 <user.notice> milicent dhclient: Running blank add_new_resolv_conf() from dhclient-enter-hooks

/etc/resolv.conf is only overwritten during boot. [cut to Rod Serling smoking a cigarette]
 
ljboiler said:
You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
Code:
resolvconf_enable=no
in /etc/rc.conf.

Just a thought...

Thanks. None of the above.

There is no
Code:
resolvconf_enable=no
in /etc/defaults/rc.conf; so I was unaware of that flag. I will grep around and see what it does.
 
Back
Top