[conspire] Unbound and DHCP on home computer

Rick Moen rick at linuxmafia.com
Mon Dec 14 17:54:18 PST 2009

Quoting Philip Martin (phillip.martin at gmail.com):

> a quick google with the terms: networkmanager resolve.conf ubuntu
> seems to bring up a number of promising routes, ranging from disabling
> networkmanager, to preventing networkmanager from obtaining DNS
> information from DHCP to preventing networkmanager from writing to
> your resolve.conf.

Um, resolvconf.


The "openresolv" implementation of resolvconf, at least, fully
supports Unbound.  See:

  97	openresolv ships with subscribers for the name servers
  98	.Xr dnsmasq 8 ,
  99	.Xr named 8
  100	and
  101	.Xr unbound 8 .

Just install your distro's resolvconf package (whatever it's called),
and it should notice that you have Unbound running and -- Robert's your 
father's brother -- make the DHCP client automagically keep its grubby 
paws off the "nameserver" information you wish to retain in

(Er, there is also the competing, original implementation from Debian
developer  Thomas Hood called "resolvconf", and I don't know whether it's
Unbound-aware or not.  Possibly not.[1]  If it isn't, file a bug.)

Before I heard about resolvconf software, I used to sometimes, in
frustration, fall back on that old barbarian system adminstration classic, 
setting the immutable bit:  

  $ su -  (or sudo bash, or whatever)
  # cd /etc
  # chattr +i resolv.conf
  # exit

So, I recommend the barbarian approach, if needed.  Honestly.  Just
don't forget you've made the unchangeable unless/until you've removed
the immutable bit.

> It's worth noting that running your own recursive nameserver does you
> no good security-wise if your DNS queries get hijacked by your ISP
> (ala Comcast). 

That is _not_ how Comcast's "DNS Helper" [sic] works, fortunately.  See:

All they're doing is making their _own_ nameservers give RFC-violating
wrong answers (similar to what OpenDSN does for non-paying customers).
They aren't interfering in traffic to/from customers' own nameservers --
unless they've started to do something new that I haven't heard about.

> If you are interested in enhancing the security of
> your DNS lookups, DNSSEC would also be a good thing to look into, even
> in its current fragmented form.

That is not relevant to, nor useful to, Roger's objective.

(By the way, IMO urging getting lost in the DNSSEC swamp onto people new
to running nameservers is not a useful or friendly thing to do,
completely aside from the fact that your suggestion is almost entirely
irrelevant to running a _recursive_ DNS server.  But, FWIW, NLnet Labs's
Unbound recursive nameserver software does fully support it.)

[1] I just got through downloading the latest source tarball from
http://ftp.debian.org/debian/pool/main/r/resolvconf/, to check.
The README file says, in part:

  Resolvconf works with most interface configurers in Debian
  ('(*)' below meaning "with some manual configuration"): 

     dhcp3-client, dhcp-client, dhcpcd, pump, udhcpc
     ifupdown, laptop-net

  DNS caches:

     bind9(*), djbdns dnscache, dnsmasq, pdnsd, totd

  DNS recursing nameservers:

     bind9(*), pdns-recursor(*)

  and with any program that uses a DNS client library that consults
  /etc/resolv.conf to obtain its list of nameservers:

     the GNU C Library resolver library
     the djbdns resolver library

That small roster of "DNS recursing nameservers" needs to also gain
entries for Unbound, MaraDNS, and dnscache (the recursive part of
djbdns).  I'll write to Thomas Hood, when I have a moment.

More information about the conspire mailing list