>From: > Adam Thompson <athom...@athompso.net> >To: ken...@dcemail.com >Received-On: Today 08:43 >Subject: Re: OS is leaking DNS >More... > >dhclient(8) is writing the ISP-supplied nameservers into resolv.conf >*before* your local options in resolv.conf.tail.
Thanks for your explanation. I did consult the man page on dhclient.conf and owing to my lack of IT knowledge and English not being my native language, I have difficulty in understanding what it states. >You can override this behaviour in dhclient.conf(5). See the example in >the manpage for a way to prepend or override "domain-name-servers" >instead of using resolv.conf.tail. I read the man page on dhclient.conf (URL: http://man.openbsd.org/OpenBSD-current/man5/dhclient.conf.5) and I am still clueless. Based on the example given on that webpage, I adapted it into two samples which are the following: Sample #1 backoff-cutoff 2; initial-interval 1; link-timeout 10; reboot 0; retry 10; select-timeout 0; timeout 30; interface "em0" { prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, routers, domain-name, domain-name-servers, host-name; require routers, subnet-mask, domain-name-servers; } Sample #2 backoff-cutoff 2; initial-interval 1; link-timeout 10; reboot 0; retry 10; select-timeout 0; timeout 30; interface "em0" { prepend domain-name-servers 50.116.40.226 107.170.95.180; request subnet-mask, broadcast-address, routers, domain-name, domain-name-servers, host-name; require routers, subnet-mask, domain-name-servers; } My questions: (A) Sample #1 is essentially the same as resolving DNS requests via DHCP, isn't it? For a standalone computer, 127.0.0.1 resolves via the DNS resolver of my ISP, yes? (B) In Sample #2, how is my computer able to connect to 50.116.40.226 without first going through my ISP's DNS resolver? I am sorry if my question is somewhat noobish. I have very limited knowledge of networking and DNS resolution. >I don't know what the OpenVPN client does to resolv.conf, but likely >something similar. The source code for OpenVPN client (Community Edition) is available for inspection. The URL to download it is https://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip >But I know its config files let you override DNS >server settings, too, because I've had to do so myself. Please show me how you do it. Thanks in advance. >Override instead of appending to get the >desired behaviour. (Netflix, I assume? <grin>) Wrong assumption. From time to time my job requires me to work for a few weeks in an authoritarian regime where even a cursory visit to a website can get me in trouble with their laws, the penalty for which is jail time or deportation. >Any two machines >connected to each other (e.g. your PC and your cable modem) constitute >"a network". See what I mean? You yourself have shown that I am null where IT knowledge is concerned. >Given the complexities you are causing yourself, I would suggest running >something like dnsmasq (in ports, IIRC) as your local recursing >nameserver, then having all three of the above components merely point >to 127.0.0.1. Then configure dnsmasq correctly. If you have dbus (also >in ports, *sigh*) installed and dnsmasq built with dbus control option, >you can dynamically change its behaviour on the fly (e.g. what upstream >nameserver to forward queries to). Or you could just restart it manually >each time. Terms like "local recursing nameserver" are technical jargon to me. Even if I understood what it meant, I wouldn't know how to configure the three components to point to 127.0.0.1 By the way, which three components were you referring to? I saw only two: dhclient, nameservers Would you be so kind as to show me how to do the stuff you described above, viz.: - run dnsmasq as my local recursing nameserver - three components point to 127.0.0.1 - configure dnsmasq correctly - how to tell if my dnsmasq is built with dbus control option - how to dynamically change its behaviour on the fly Thanks in advance. Adam http://www.DCpages.com
