18.04: Bionic Beaver: enforce static /etc/resolv.conf

dns network-manager resolv.conf dnsmasq

Previously, on Ubuntu 16.04, I felt betrayed when an Ubuntu update installed dnsmasq package, configured it, and gave it precedence over my own super-stable, ultra-fast, and own-configured BIND DNS server. It exactly felt as if Ubuntu hacked my workstation.

Since I happened to be working as a system admin, this was extremely unacceptable. This was a freak-out call. This is when you go to troubleshoot a problem and in one of your steps you use dig or nslookup and you get stunned to see the lo interface replying to you. PANIC

Is there a way to not only fix this issue, but also guarantee that /etc/resolv.conf will be tamper proof?


A simple edit to /etc/NetworkManager/NetworkManager.conf and disabling systemd-resolved.service(as in this answer https://askubuntu.com/a/907249/719422). But that alone, while essential, does not guarantee tamper-proof resolv.conf.

To really enforce a static /etc/resolv.conf that you know will survive restarts of any kind, you need to set the immutable attribute to it. Adding to the answer of Bastian Voigt mentioned above, you do this as SuperUser:

echo nameserver 8.8.8.8 > /etc/resolv.conf
chattr -e /etc/resolv.conf
chattr +i /etc/resolv.conf

...changing the nameserver to your chosen value. That way, you can have a really static /etc/resolv.conf.


According to the docs, you can write your resolv.conf to /usr/lib/systemd/resolv.conf, which is a static file that can be linked from /etc/resolv.conf. That should not be rewritten.

sudo ln -sf /usr/lib/systemd/resolv.conf /etc/resolv.conf

http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#contenttoc3

/ETC/RESOLV.CONF

Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

...

A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.


Best solution I've found is to prevent NetworkManager from updating /etc/resolv.conf and then creating a new /etc/resolv.conf file with a static DNS server. See https://www.ctrl.blog/entry/resolvconf-tutorial for how to do this.

Related

How Can I Only Allow Uniform Resizing in a WPF Window?
Expose both TCP and UDP from the same ingress
swift uitapgesturerecognizer pass parameters
Converting byte array to string and printing out to console
'For loop' within a function
MySQL Workbench SSL connection error: SSL is required but the server doesn't support it
i try to import a array data in JS file from another js file in react native , and i try to check the length of the array in react native
How to record the peak memory usage of a Docker container?
How add circle Shape in Google maps custom icon?
Rendering Array of Images in React [duplicate]
Compile twice in django_tex
Dart Regex for matching number or certain characters at the end of String