Prevent local-unbound-setup from overwriting /etc/resolv.conf?

hyperreal

hyperreal

I'm wondering if there is a setting to preventing local-unbound-setup from overwriting /etc/resolv.conf. I realize that modifying the local /etc/resolv.conf is kinda the point of using unbound, but my use-case is a little different. I want to have unbound running on port 5335, and I can configure this in the unbound.conf settings. However, when local-unbound-setup runs, it writes 127.0.0.1 to /etc/resolv.conf, which doesn't actually use the unbound service. There doesn't seem to be a way to specify ports in /etc/resolv.conf, so it uses 53 by default.

The reason for having unbound on port 5335 is so that I can run a DNS proxy (Blocky) on port 53, and configure it to use the unbound server on port 5335 to be its upstream resolver.

A messy way to workaround this problem would be to edit /etc/rc.d/local_unbound and remove the function that runs local-unbound-setup, but I don't think it's a good idea to mess with RC scripts. Or I can create a separate script that gets activated after local_unbound is started that simply removes /etc/resolv.conf and replaces it with my own version.

It seems local-unbound-setup uses /var/unbound/unbound.conf for its configuration settings. I've perused the unbound documentation and haven't found any setting to turn off resolvconf. I can't edit /etc/resolvconf.conf because those changes will be overwritten by local-unbound-setup.
 
Hi,

resolvconf.conf(5)
Code: 
RESOLVCONF OPTIONS
     resolvconf
             Set to NO to disable resolvconf from running any subscribers.
             Defaults to YES.

Rich (BB code): 
% local-unbound-setup -h
destination:
Illegal option -h
usage: local-unbound-setup [options] [forwarder ...]
options:
    -n          do not start unbound
    -a path     full path to trust anchor file
    -C path     full path to additional configuration directory
    -c path     full path to unbound configuration file
    -f path     full path to forwarding configuration
    -O path     full path to remote control socket
    -o path     full path to remote control configuration
    -p path     full path to pid file
    -R path     full path to resolvconf.conf
    -r path     full path to resolv.conf
    -s service  name of unbound service
    -u user     user to run unbound as
    -w path     full path to working directory


I'd like suggest using /etc/resolvconf.conf and try and see if it still overwrites the /etc/resolv.conf. I used to do this when I don't want DHCP to overwrite /etc/resolv.conf, maybe that works for you too. If it doesn't work, try with -R flag of local-unbound-setup but that may need editing some file.

For example:
/etc/resolvconf.conf
Code: 
resolvconf=NO
 
nxjoseph said:
Hi,

resolvconf.conf(5)
Code: 
RESOLVCONF OPTIONS
     resolvconf
             Set to NO to disable resolvconf from running any subscribers.
             Defaults to YES.

Rich (BB code): 
% local-unbound-setup -h
destination:
Illegal option -h
usage: local-unbound-setup [options] [forwarder ...]
options:
    -n          do not start unbound
    -a path     full path to trust anchor file
    -C path     full path to additional configuration directory
    -c path     full path to unbound configuration file
    -f path     full path to forwarding configuration
    -O path     full path to remote control socket
    -o path     full path to remote control configuration
    -p path     full path to pid file
    -R path     full path to resolvconf.conf
    -r path     full path to resolv.conf
    -s service  name of unbound service
    -u user     user to run unbound as
    -w path     full path to working directory


I'd like suggest using /etc/resolvconf.conf and try and see if it still overwrites the /etc/resolv.conf. I used to do this when I don't want DHCP to overwrite /etc/resolv.conf, maybe that works for you too. If it doesn't work, try with -R flag of local-unbound-setup but that may need editing some file.

For example:
/etc/resolvconf.conf
Code: 
resolvconf=NO
Click to expand...

Thanks for your reply. The problem I see with this is that /etc/resolvconf.conf is generated by local-unbound-setup, so any modifications to it will be overwritten. The only way to change the arguments to local-unbound-setup is by editing /etc/rc.d/local_unbound. I don't run local-unbound-setup manually; it's run automatically every time the local_unbound service is (re)started. There also aren't any RC conf options that allow me to set the flags to local-unbound-setup. There's local_unbound_flags, but these only apply to the service itself.

I think my best bet is to write a script that gets activated immediately after the local_unbound service is activated. This script would simply overwrite the contents of /etc/resolv.conf.
 
I currently don't know of any way to have a script be activated after and whenever an RC script is (re)started. I have to look if there is a way to have a drop-in sort of thing for local_unbound. Do RC scripts in /usr/local/etc/rc.d take precedence over those in /etc/rc.d. What I'm thinking is copying it there and then editing the poststart function to include something like this:
Code: 
echo "nameserver 9.9.9.9" | tee /etc/resolv.conf

I suppose I can also just have a cronjob run every hour or so. It's not too often that local_unbound gets restarted, anyway.
 
Maybe I could be wrong but can you try to use
Code: 
-r path     full path to resolv.conf
and point not to /etc/resolv.conf, but for some other file
 
The way I've worked around this is just having local_unbound running in a separate vnet jail listening on 0.0.0.0:53, and having Blocky use that vnet jail's IP address as its upstream resolver. I also had to add the following config option to allow devices on my LAN subnet to access unbound:
Code: 
access-control: 10.0.0.0/24 allow
 
You must log in or register to reply here.
Back
Top