Re: Why does resolv.conf keep changing?

On Tue 24 Oct 2017 at 03:15:30 (-0400), Roberto C. Sánchez wrote:
> On Mon, Oct 23, 2017 at 11:05:03PM -0400, Roberto C. Sánchez wrote:
> > On Mon, Oct 23, 2017 at 07:26:38PM -0500, David Wright wrote:
> > > 
> > > So if you:
> > > $ ls -l --full-time /etc/resolv.conf
> > > and then look at what happened at that precise time in /var/log/syslog
> > > or wherever your logs are being written. What took place?
> > > 
> > Most recently the problem happened at 22:29:16.419070807.  Looking in
> > all of my logs (not just syslog), the only thing that happened near that
> > time was that a host on my LAN sent a DHCPREQUEST at 22:29:07 (which the
> > DHCP server answered with a DHCPACK) and then at 22:29:58 Shorewall
> > dropped an attempt to connect to port 2433 from a host on the Internet.
> > 
> > I have already changed resolv.conf back to my preferred configuration
> > and I will check again for correlated log entries when it is changed
> > again.
> > 
> So, it happened again at 03:02:26 that resolv.conf was changed.  I
> looked in the logs and found nothing that appeared to be a close
> correlation.  There were several DHCPREQUEST/DHCPACK exchanges before
> and after, but my network has a near constant stream of such exchanges
> with no more than 3 or 4 minutes between exchanges.  It seems unlikely
> to me that the DHCPREQUEST/DHCPACK exchange could be the cuplrit.

Here, with resolvconf installed, resolv.conf is updated to within
one second of the DHCPREQUEST/DHCPACK exchange. I only get these
exchanges every few minutes when this laptop is misbehaving (the
wifi is flaky and the signal strength gets low). Normally it's
ten or twelve hours which I assume is when the lease expires.

> I am fairly out of ideas at this point.  Anyone?

Perhaps you could watch the file with inotifywait, and capture
a ps and maybe even a lsof listing at that moment.