18.04: Bionic Beaver: enforce static /etc/resolv.conf

network-manager dns dnsmasq resolv.conf
36,286

Solution 1

A simple edit to /etc/NetworkManager/NetworkManager.conf and disabling systemd-resolved.service(as in this answer https://askubuntu.com/a/907249/719422). But that alone, while essential, does not guarantee tamper-proof resolv.conf.

To really enforce a static /etc/resolv.conf that you know will survive restarts of any kind, you need to set the immutable attribute to it. Adding to the answer of Bastian Voigt mentioned above, you do this as SuperUser:

echo nameserver 8.8.8.8 > /etc/resolv.conf
chattr -e /etc/resolv.conf
chattr +i /etc/resolv.conf

...changing the nameserver to your chosen value. That way, you can have a really static /etc/resolv.conf.

Solution 2

According to the docs, you can write your resolv.conf to /usr/lib/systemd/resolv.conf, which is a static file that can be linked from /etc/resolv.conf. That should not be rewritten.

sudo ln -sf /usr/lib/systemd/resolv.conf /etc/resolv.conf

http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#contenttoc3

/ETC/RESOLV.CONF

Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

...

A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.

Solution 3

Best solution I've found is to prevent NetworkManager from updating /etc/resolv.conf and then creating a new /etc/resolv.conf file with a static DNS server. See https://www.ctrl.blog/entry/resolvconf-tutorial for how to do this.

Share:
36,286

Related videos on Youtube

M K
Author by

M K

Updated on September 18, 2022

Comments

  • M K
    M K over 1 year

    Previously, on Ubuntu 16.04, I felt betrayed when an Ubuntu update installed dnsmasq package, configured it, and gave it precedence over my own super-stable, ultra-fast, and own-configured BIND DNS server. It exactly felt as if Ubuntu hacked my workstation.

    Since I happened to be working as a system admin, this was extremely unacceptable. This was a freak-out call. This is when you go to troubleshoot a problem and in one of your steps you use dig or nslookup and you get stunned to see the lo interface replying to you. PANIC

    Is there a way to not only fix this issue, but also guarantee that /etc/resolv.conf will be tamper proof?

  • M K
    M K almost 6 years
    No, sorry. What happens when the spec changes or config method alters on Ubuntu's own willing? You know, this is the same fiasco I left Satya's corrupted dreams of an OS for. And, this is the same fiasco that Linux should be avoiding. What's wrong with resolve.conf? Why the hassle? Why try mimic the hateful and tedious Redhat network config, in some way or another? Sorry, I will only stick to my solution.
  • Marlon
    Marlon over 5 years
    How do you know that your file wont simply be ignored in the future? I know that forcing the static way some apps would work and others wont. With wisbucky's solution, at least we can use the current way. I didnt see the need for them to change it either but I didnt get a vote. Someone downvoted this solution when in fact it does work and is the simplest. +1
  • M K
    M K over 5 years
    @Marlon "How do you know that your file wont simply be ignored in the future"? Because it is set immutable; and, if /etc/resolv.conf is going to be ignored, so why the fuss anyway building a framework around it?? Ignoring the file will only happen if some Ubuntu wacko decided it is useless (implementing something into interfaces file, for example!)
  • M K
    M K over 5 years
    If I wanted someone taking decisions for me, I would have gone back to the wacko Microsoft Windows, whose coders and designers and Satya above them all think they know your sake better than you do and that you have no right choosing how to run their "creation". Fuss!
  • M K
    M K over 5 years
    Why the fuss build an OS for the good of mankind, if mankind cannot enjoy running it? What the fuss is Immutable attribute if someone is going to tell me when to use it or not. This is not about "following galactic manuals of Vega", this is about freedom of choice; no one should ever pose his own rigid single-minded impulse on you. You are a being and you have rights.
  • M K
    M K over 5 years
    Steps already direct to deleting /etc/resolv.conf beforehand.
  • hfranco
    hfranco about 5 years
    The /etc/NetworkManager/NetworkManager.conf file does not exist in 18.04
  • M K
    M K about 5 years
    @hfranco if it does not, which I doubt, then you just create one! And, btw, if that is your case, then it is not a standard setup; your case is abnormal. I would say you mistyped while looking for it!
  • M K
    M K about 5 years
  • M K
    M K about 5 years
    Thanks for the spam! But you are missing the Immutable attribute, anyway!
  • Lucas Bustamante
    Lucas Bustamante almost 5 years
    This is the only thing that worked for me on Ubuntu 18.04

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How could I turn off\on dnsmasq?
/var/run/dnsmasq/resolv.conf nameserver contents
how to setup split-dns for vpn with network-manager
Ubuntu 16.04 Cannot resolve hostnames
Lost editing DNS config in Ubuntu 18.04
NetworkManager writing to resolv.conf every reboot, breaking dnsmasq?
Setting DNS via NetworkManager/nm-applet doesn't update the /etc/resolv.conf (17.10)
Why do none of my local servers resolve?
dnsmasq : failed to create listening socket for port 53: Address already in use
The "resolv.conf" file becomes empty after each restart