On 2023-04-10, Kaya Saman <kayasa...@gmail.com> wrote:
>
> On 4/10/23 16:24, Daniele B. wrote:
>> Apr 10, 2023 12:52:22 Kaya Saman <kayasa...@gmail.com>:
>>
>>>>> how do I override OpenBSD's
>>>>> behavior to explicitly not use the dns servers obtained through ipcp but
>>>>> instead use the ones form the resolv.conf file?
>> My solution both for security reasons (I'm using unbound)
>> for for practical reasons (as per your concerns) is to set immutable
>> resolv.conf by chflags.
>>
>> Not the Solution but a very good workaround. Please investigate also
>> when you can take off the immutable flag too.
>>
>> I take this time to wish you all an Happy Easter and obviously
>> lots of compliments for the 54th release of the ball fish system!
>>
>
> Do you mean setting resolv.conf as ReadOnly?
immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.
> My resolv.conf file is fine and has the correct dns servers inside.
>
> The issue is that pppoe negotiates the dns servers through ipcp. The dns
> servers therefor do *not* get loaded into the resolv.conf file but
> instead show up under: ifconfig pppoe0
>
> This somehow is overriding my resolv.conf file; another words the
> information is *not* being used from resolv.conf and is instead being
> used from the ipcp negotiation as part of the pppoe kernel module.
>
> The question is how to disable this behavior?
If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.
If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.
The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?
To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.
Check resolvd and unwind manpages for more info about what each does.
