Thanks Stu, and everyone else who responded :-)
On 4/11/23 09:01, Stuart Henderson wrote:
On 2023-04-10, Kaya Saman <kayasa...@gmail.com> wrote:
On 4/10/23 16:24, Daniele B. wrote:
Apr 10, 2023 12:52:22 Kaya Saman <kayasa...@gmail.com>:
how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?
My solution both for security reasons (I'm using unbound)
for for practical reasons (as per your concerns) is to set immutable
resolv.conf by chflags.
Not the Solution but a very good workaround. Please investigate also
when you can take off the immutable flag too.
I take this time to wish you all an Happy Easter and obviously
lots of compliments for the 54th release of the ball fish system!
Do you mean setting resolv.conf as ReadOnly?
immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.
Oh ok... I'll check it out - I understood file permissions?
My resolv.conf file is fine and has the correct dns servers inside.
The issue is that pppoe negotiates the dns servers through ipcp. The dns
servers therefor do *not* get loaded into the resolv.conf file but
instead show up under: ifconfig pppoe0
This somehow is overriding my resolv.conf file; another words the
information is *not* being used from resolv.conf and is instead being
used from the ipcp negotiation as part of the pppoe kernel module.
The question is how to disable this behavior?
If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.
If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.
The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?
To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.
Check resolvd and unwind manpages for more info about what each does.
Perhaps I wasn't clear and confused everyone?
In the meantime I read both manpages of resolv.conf and unwind.
As far as I can understand unwind points to a remote resolver unless
something goes wrong where it then looks for one defined locally.
In my resolv.conf I have 3x local dns servers (same subnet I know.... I
know....) defined:
x.x.x.1
x.x.x.2
x.x.x.3
*but* my system was using:
A.A.A.1
A.A.A.2
from my ISP which it acquired through ipcp from pppoe.
Possibly this behavior started while I messed with things and performed
a: sh /etc/netstart pppoe0
Nothing got written to resolv.conf but the system was using the isp
acquired servers.
I ran a quick test of unwind and popped: x.x.x.1 into it. Nothing seemed
to have changed as the resolution was still being carried out on the isp
dns machines.
Re-checking resolv.conf it seemed that the isp entries had actually been
written there in the end? Does unwind do this?
I just simply deleted them and now the system works as before using my
locally defined systems.
Strange issue and behavior but solved for now. Just reconfirmed using
nslookup right now on the obsd box and all is fine :-D
Many thanks.
Kaya
