18.04: Bionic Beaver: enforce static /etc/resolv.conf

Question

Previously, on Ubuntu 16.04, I felt betrayed when an Ubuntu update installed dnsmasq package, configured it, and gave it precedence over my own super-stable, ultra-fast, and own-configured BIND DNS server. It exactly felt as if Ubuntu hacked my workstation.

Since I happened to be working as a system admin, this was extremely unacceptable. This was a freak-out call. This is when you go to troubleshoot a problem and in one of your steps you use dig or nslookup and you get stunned to see the lo interface replying to you. PANIC

Is there a way to not only fix this issue, but also guarantee that /etc/resolv.conf will be tamper proof?

M K · Accepted Answer · 2018-06-26T17:12:26.277

A simple edit to /etc/NetworkManager/NetworkManager.conf and disabling systemd-resolved.service(as in this answer https://askubuntu.com/a/907249/719422). But that alone, while essential, does not guarantee tamper-proof resolv.conf.

To really enforce a static /etc/resolv.conf that you know will survive restarts of any kind, you need to set the immutable attribute to it. Adding to the answer of Bastian Voigt mentioned above, you do this as SuperUser:

echo nameserver 8.8.8.8 > /etc/resolv.conf
chattr -e /etc/resolv.conf
chattr +i /etc/resolv.conf

...changing the nameserver to your chosen value. That way, you can have a really static /etc/resolv.conf.

score 1 · Answer 2 · edited Jun 12 '20 at 14:37

According to the docs, you can write your resolv.conf to /usr/lib/systemd/resolv.conf, which is a static file that can be linked from /etc/resolv.conf. That should not be rewritten.

sudo ln -sf /usr/lib/systemd/resolv.conf /etc/resolv.conf

http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#contenttoc3

/ETC/RESOLV.CONF

Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

...

A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.

score 1 · Answer 3 · answered Dec 17 '18 at 19:24

1

Best solution I've found is to prevent NetworkManager from updating /etc/resolv.conf and then creating a new /etc/resolv.conf file with a static DNS server. See https://www.ctrl.blog/entry/resolvconf-tutorial for how to do this.

answered Dec 17 '18 at 19:24

Scubadoo

11

score -2 · Answer 4 · answered Oct 16 '18 at 16:15

-2

The file present is a symlink to another file. Delete the file

rm /etc/resolve.conf
vim /etc resolve.conf
enter your data
:wq

The file is no longer a symlink but a persistent file.

answered Oct 16 '18 at 16:15

0n10n_

101

18.04: Bionic Beaver: enforce static /etc/resolv.conf

4 Answers4

Linked