Web lists-archives.com

Re: Can't find the DNS Servers


On Mon, Sep 25, 2017 at 11:33:50AM -0400, Gene Heskett wrote:
> > I mean, unless this is a laptop or a tablet or a phone or something.
> > Then it may be appropriate, because you might actually WANT your
> > resolv.conf file to be rewritten every time the wind changes
> > direction.
> >
> > For desktop machines with a static internal network configuration,
> > it's an abomination.  And unfortunately it's not the only malevolent
> > fiend trying to usurp control of your resolv.conf file.  There's also
> > dhclient, and network-manager, and systemd-resolved, and who knows
> > what else.
> >
> > See <https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/> for
> > some of your options.  Of course, before you can apply any of those
> > suggestions, you have to seize back control of your resolv.conf file
> > in the first place.  Make sure it's a FILE and not a symlink, and put
> > the correct content into it.  Make sure name resolution works.  Then
> > choose your favorite solution to keep the file under YOUR control.
> For me, its a root session, and a "chattr +i resolv.conf"
> If for some reason you need to edit it later, you'll have to use the -i 
> argument first. As long as that +i bit is set, its protected from 
> everything but a mke2fs.

A common misconception. Here's how a determined userspace can beat
immutable bit:

# mkdir testetc
# touch testetc/resolv.conf
# chattr +i testetc/resolv.conf
# mv testetc/ testetc.orig
# mkdir testetc
# touch testetc/resolv.conf
# echo evil dns > testetc/resolv.conf

Of course you could try to counter that with "chattr +i /etc", but doing
*that* should break an unimaginable number of things.

If you really need immutable /etc/resolv.conf you should try the
Read-Only Root Debian - [1].

[1] https://wiki.debian.org/ReadonlyRoot