[conspire] Unbound and DHCP on home computer
rick at linuxmafia.com
Mon Dec 14 17:54:18 PST 2009
Quoting Philip Martin (phillip.martin at gmail.com):
> a quick google with the terms: networkmanager resolve.conf ubuntu
> seems to bring up a number of promising routes, ranging from disabling
> networkmanager, to preventing networkmanager from obtaining DNS
> information from DHCP to preventing networkmanager from writing to
> your resolve.conf.
The "openresolv" implementation of resolvconf, at least, fully
supports Unbound. See:
96 .Sh SUBSCRIBER OPTIONS
97 openresolv ships with subscribers for the name servers
98 .Xr dnsmasq 8 ,
99 .Xr named 8
101 .Xr unbound 8 .
Just install your distro's resolvconf package (whatever it's called),
and it should notice that you have Unbound running and -- Robert's your
father's brother -- make the DHCP client automagically keep its grubby
paws off the "nameserver 127.0.0.1" information you wish to retain in
(Er, there is also the competing, original implementation from Debian
developer Thomas Hood called "resolvconf", and I don't know whether it's
Unbound-aware or not. Possibly not. If it isn't, file a bug.)
Before I heard about resolvconf software, I used to sometimes, in
frustration, fall back on that old barbarian system adminstration classic,
setting the immutable bit:
$ su - (or sudo bash, or whatever)
# cd /etc
# chattr +i resolv.conf
So, I recommend the barbarian approach, if needed. Honestly. Just
don't forget you've made the unchangeable unless/until you've removed
the immutable bit.
> It's worth noting that running your own recursive nameserver does you
> no good security-wise if your DNS queries get hijacked by your ISP
> (ala Comcast).
That is _not_ how Comcast's "DNS Helper" [sic] works, fortunately. See:
All they're doing is making their _own_ nameservers give RFC-violating
wrong answers (similar to what OpenDSN does for non-paying customers).
They aren't interfering in traffic to/from customers' own nameservers --
unless they've started to do something new that I haven't heard about.
> If you are interested in enhancing the security of
> your DNS lookups, DNSSEC would also be a good thing to look into, even
> in its current fragmented form.
That is not relevant to, nor useful to, Roger's objective.
(By the way, IMO urging getting lost in the DNSSEC swamp onto people new
to running nameservers is not a useful or friendly thing to do,
completely aside from the fact that your suggestion is almost entirely
irrelevant to running a _recursive_ DNS server. But, FWIW, NLnet Labs's
Unbound recursive nameserver software does fully support it.)
 I just got through downloading the latest source tarball from
http://ftp.debian.org/debian/pool/main/r/resolvconf/, to check.
The README file says, in part:
Resolvconf works with most interface configurers in Debian
('(*)' below meaning "with some manual configuration"):
dhcp3-client, dhcp-client, dhcpcd, pump, udhcpc
bind9(*), djbdns dnscache, dnsmasq, pdnsd, totd
DNS recursing nameservers:
and with any program that uses a DNS client library that consults
/etc/resolv.conf to obtain its list of nameservers:
the GNU C Library resolver library
the djbdns resolver library
That small roster of "DNS recursing nameservers" needs to also gain
entries for Unbound, MaraDNS, and dnscache (the recursive part of
djbdns). I'll write to Thomas Hood, when I have a moment.
More information about the conspire