18.04: Bionic Beaver: enforce static /etc/resolv.conf
Previously, on Ubuntu 16.04, I felt betrayed when an Ubuntu update installed dnsmasq
package, configured it, and gave it precedence over my own super-stable, ultra-fast, and own-configured BIND DNS server. It exactly felt as if Ubuntu hacked my workstation.
Since I happened to be working as a system admin, this was extremely unacceptable. This was a freak-out call. This is when you go to troubleshoot a problem and in one of your steps you use dig
or nslookup
and you get stunned to see the lo
interface replying to you. PANIC
Is there a way to not only fix this issue, but also guarantee that /etc/resolv.conf
will be tamper proof?
A simple edit to /etc/NetworkManager/NetworkManager.conf
and disabling systemd-resolved.service
(as in this answer https://askubuntu.com/a/907249/719422). But that alone, while essential, does not guarantee tamper-proof resolv.conf
.
To really enforce a static /etc/resolv.conf
that you know will survive restarts of any kind, you need to set the immutable attribute to it. Adding to the answer of Bastian Voigt mentioned above, you do this as SuperUser:
echo nameserver 8.8.8.8 > /etc/resolv.conf
chattr -e /etc/resolv.conf
chattr +i /etc/resolv.conf
...changing the nameserver
to your chosen value. That way, you can have a really static /etc/resolv.conf
.
According to the docs, you can write your resolv.conf
to /usr/lib/systemd/resolv.conf
, which is a static file that can be linked from /etc/resolv.conf
. That should not be rewritten.
sudo ln -sf /usr/lib/systemd/resolv.conf /etc/resolv.conf
http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#contenttoc3
/ETC/RESOLV.CONF
Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:
...
A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.
Best solution I've found is to prevent NetworkManager from updating /etc/resolv.conf and then creating a new /etc/resolv.conf file with a static DNS server. See https://www.ctrl.blog/entry/resolvconf-tutorial for how to do this.