Mailing List Archive: Neat trick to bypass /etc/resolv.conf and use your own resolv.conf for dnscache

Neat trick to bypass /etc/resolv.conf and use your own resolv.conf for dnscache

May 10, 2017, 12:29 PM

Post #1 of 4 (2146 views)

I had a situation where I am running dnscache on local laptop running
indimail. However my resolv.conf would get updated by NetworkManager
or by vpn client. There are solutions to modify have NetworkManager
scripts / dhclient scripts / interface startup scripts to have
nameserver as 127.0.0.1, but I found those solutions different for
different distros. Here is a neat solution using unshare command from
util-linux. This command is available on centos, rhel, debian, ubuntu.
This is how you do it

1. Modify svscanboot to call unshare --mount e.g.
exec /usr/bin/unshare --mount env - \
PATH=$PATH \
/var/qmail/bin/svscan.sh

2. in /var/qmail/bin/svscan.sh
#!/bin/sh
/usr/bin/mount --bind /var/qmail/control/resolv.conf /etc/resolv.conf
exec /var/qmail/bin/svscan

3. in /var/qmail/control/resolv.conf
nameserver 127.0.0.1

Now all services started by svscan will transparently use
/var/qmail/control/resolv.conf as /etc/resolv.conf

There are many other things you can do with unshare. You can use a
totally different hostname, domain name on per process basis

you can find the mount point in /proc/$pid/mountinfo where pid is the
process id of svscan process.

Read more about unshare at

http://blog.endpoint.com/2012/01/linux-unshare-m-for-per-process-private.html

--
Regards Manvendra - http://www.indimail.org
GPG Pub Key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C

Re: Neat trick to bypass /etc/resolv.conf and use your own resolv.conf for dnscache [ In reply to ]

search-web-for-address at pyropus

May 10, 2017, 2:52 PM

Post #2 of 4 (2146 views)

Permalink

Manvendra Bhangui <mbhangui@gmail.com> wrote:
> I had a situation where I am running dnscache [...] However my resolv.conf
> would get updated by NetworkManager or by vpn client.
[...]
> Here is a neat solution using unshare [...]

Looks like overkill. Why not just make resolv.conf immutable? i.e. chattr +i
It's always worked for me.

Charles
--
--------------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
--------------------------------------------------------------------------

Re: Neat trick to bypass /etc/resolv.conf and use your own resolv.conf for dnscache [ In reply to ]

mbhangui at gmail

May 10, 2017, 8:44 PM

Post #3 of 4 (2146 views)

Permalink

On 11 May 2017 at 03:22, Charles Cazabon
<search-web-for-address@pyropus.ca> wrote:
> Manvendra Bhangui <mbhangui@gmail.com> wrote:
>> I had a situation where I am running dnscache [...] However my resolv.conf
>> would get updated by NetworkManager or by vpn client.
> [...]
>> Here is a neat solution using unshare [...]
>
> Looks like overkill. Why not just make resolv.conf immutable? i.e. chattr +i
> It's always worked for me.
>

That does not work for me. The unshare command lets you have your own
private copy of your own libraries, /etc/passwd, /etc/group, your
binaries from a mounted loopback filesystem, rapid deployment for
testing a private build without modifying existing copies of running
binaries, almost like a docker image. You can have your own private
mount namespace, custom UTS namespace (hostname, domainname), IPC
namespace (message queues, IPC, semaphores) and network namespace
(independent IPV5, IPV6 stacks, ip routing tables, firewall rules),
map uids to superuser. Complicated - maybe yes, cool - definitely yes.

$ ls -l /etc/resolv.conf /var/run/NetworkManager/resolv.conf
lrwxrwxrwx. 1 root root 35 May 11 08:37 /etc/resolv.conf ->
/var/run/NetworkManager/resolv.conf
-rw-r--r--. 1 root root 97 May 11 08:37 /var/run/NetworkManager/resolv.conf

$ chattr +i /var/run/NetworkManager/resolv.conf
chattr: Inappropriate ioctl for device while reading flags on
/var/run/NetworkManager/resolv.conf

$ sudo !!
sudo chattr +i /var/run/NetworkManager/resolv.conf
chattr: Inappropriate ioctl for device while reading flags on
/var/run/NetworkManager/resolv.conf

$ cat /etc/resolv.conf
# Generated by NetworkManager
search tagrem.in indimail.in
nameserver 8.8.8.8
nameserver 8.8.4.4
$

Re: Neat trick to bypass /etc/resolv.conf and use your own resolv.conf for dnscache [ In reply to ]

search-web-for-address at pyropus

May 11, 2017, 12:36 PM

Post #4 of 4 (2146 views)

Permalink

Manvendra Bhangui <mbhangui@gmail.com> wrote:
> >
> > Looks like overkill. Why not just make resolv.conf immutable?
>
> That does not work for me. The unshare command

I'm aware of how namespaces work, and how unshare provide commandline access
to some of their features, thanks.

> $ ls -l /etc/resolv.conf /var/run/NetworkManager/resolv.conf
> lrwxrwxrwx. 1 root root 35 May 11 08:37 /etc/resolv.conf ->
> /var/run/NetworkManager/resolv.conf
> -rw-r--r--. 1 root root 97 May 11 08:37 /var/run/NetworkManager/resolv.conf
>
> $ chattr +i /var/run/NetworkManager/resolv.conf
> chattr: Inappropriate ioctl for device while reading flags on
> /var/run/NetworkManager/resolv.conf

That's not quite what I meant. Didn't you say you wanted to use resolv.conf
(system-wide) pointing to your own dnscache resolver?

I meant, after removing /etc/resolv.conf (if it's a symlink) and replacing it
with a file pointing to your dnscache, make /etc/resolv.conf immutable, so
that NetworkManager or other completely-retarded programs that don't let you
opt out of their "helpful" replacing of /etc/resolv.conf can't screw it up on
you.

That has always worked for me. No namespaces needed. If you want to have
*different* resolv.conf contents for different programs on your system, then
yes, you'll need to use namespaces or overlay filesystems or something to
accomplish it, if the programs you want to configure can't have their
name-resolution methods configured separately.

Charles
--
--------------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
--------------------------------------------------------------------------