
How to take back control of /etc/resolv.conf on Linux (2018) - ausjke
https://www.ctrl.blog/entry/resolvconf-tutorial
======
usr1106
The article and the previous discussion here do not cover any modern
distribution using glibc and systemd-resolved. /etc/resolv.conf has become
legacy and is not even used by most programs anymore. "Taking back control" of
something that is not used will not change much...

Modern programs should use getaddrinfo(3). The glibc implementation of that
call will first consult the "hosts:" line of /etc/nsswitch.conf. That file
will contain a list to determine how host names are resolved:

The first entry is typically "files". That means consult /etc/hosts file.

Next there could be something to consult avahi/autoip, Ubuntu systems
typically do that.

There could also be entries "myhostname" and "mymachines". That's systemd's
container support, not discussed here.

If the system uses systemd-resolved there will be an entry "resolve". Than
means consult systemd-resolved

Typically the last one is "dns". That's the traditional implementation using
/etc/resolv.conf. But if systemd-resolved is configured and working we never
get here.

Only if you don't have "resolve" before "dns" in your /etc/nsswitch.conf then
/etc/resolv.conf is still relevant.

It appears to me that musl does not use /etc/nsswitch.conf at all, so there
/etc/resolv.conf is still relevant.

~~~
krageon
Any modern distro using a systemd resolver is one meant for the kind of people
that don't care about taking back control, because they will be layman users.
You are of course correct that this then does not apply to them, but I would
argue this is kind of an obvious point.

~~~
usr1106
I don't want to participate in the discussion whether systemd and systemd-
resolved are good or bad or for laymen or not.

My only point was if you want "to take control" of your system you first have
to look /etc/nsswitch.conf. If "resolve" is before "dns" your /etc/resolv.conf
is mostly unused. Any article discussing /etc/resolv.conf without mentioning
/etc/nsswitch.conf is very misleading for many users who happen to have
systemd-resolved (probably because the distro decided to install and configure
it)

~~~
xvYXA
I guess the discussion is a bit heated because distros keep breaking stuff
that worked 10 years ago.

It would be fine if overall reliability increased, but it does not. I could
write more reliable shell scripts for making WiFi or PPP connections than
NetworkManager, which sometimes required a reboot before graciously allowing
to connect again. Never happens on the command line.

Thank you for describing the status quo, I'll probably look into Slackware or
OpenBSD now.

~~~
zcid
My suggestion for Linux right now is Void Linux. It's clean and minimalist and
eschews systemd for runit. It feels a lot like OpenBSD without ports (although
the manpages are sadly Linux-like).

------
m45t3r
Just to some people know, systemd-resolved does not override /etc/resolv.conf
by default. I know because neither Arch not NixOS does this, you need to
explicitly override it using `ln -sf /run/systemd/resolve/stub-resolv.conf
/etc/resolv.conf`.

The culprit is actually NetworkManager. When it detects that systemd-resolved
is running it sets the default resolver to systemd-resolved, and automatically
makes the override for the user. I think it also does the same for the other
supported resolvers (unbound, dnsmasq, etc.).

~~~
m45t3r
To fix it, following just the first part of the article is sufficient (setting
`dns=none` in NetworkManager configuration).

There is no need to remove or disable systemd-resolved, set chattr +i or
anything else (of course, if you're not using you can remove it without
problems).

~~~
jniedrauer
I thought this was common knowledge. I've been doing this since the upstart
days...

------
petronio
After running into this a while ago when I was rebuilding my system and
getting annoyed by all the different things that try to modify it, I ended up
giving up and just setting the file to immutable. It has been working fine for
the past couple of months as nothing seems to autodetect the flag and try to
remove it.

    
    
      chattr +i /etc/resolv.conf

~~~
lkirk
I have used this in the past. There are only a few places where this bites
you, for instance wifi authentication portals. Some of these wifi access
points change your resolv.conf so that you can load their internal page for
terms and conditions.

~~~
likkwidd
I solved the captive portal issue by using captive browser

[https://github.com/FiloSottile/captive-
browser](https://github.com/FiloSottile/captive-browser)

~~~
lkirk
Very cool, thanks. I will probably be using this in the future

------
Faaak
I hate systemd-resolved because it uses glib's resolver.

The problem is that this resolver doesn't understand root queries. That means
that `dig +trace` doesn't work anymore, and you have to use an external server
for the root zone.

This is such a trivial use case not taken into account by systemd (they don't
even want to fix it), that I'm saddened by it..

~~~
coldacid
systemd is such complete garbage that I immediately write off any distros that
run on it as unusable. For all the fail of SysV init, at least it sticks to
its own job and little else.

~~~
Spivak
So every distro except for Void and Duvian?

~~~
isatty
Gentoo!

It’s a great distro, gives you loads of choice (even lets you go with systemd)
and the developers actually care about open source and the act of giving a
shit (unlike what I see from the systemd bug tracker).

~~~
throwamay1241
10-Year Gentoo veteran here. Every time I move away from Gentoo I come back
purely because I have some headache caused by systemd or pulseaudio (which
seems to depend on / be depended on by systemd). If they didn't get in the way
I wouldn't care, because not needing to compile packages would be nice.

Recently I purchased some bluetooth headphones, they don't work well without
PulseAudio and so far I haven't gotten anything but raw audio files to
playback directly.

Same goes for Firefox. I _think_ there's an intermediate plugin to play
directly to ALSA, but for now I'm just playing spotify||netflix via chrome.

Point is, it's slowly becoming harder to avoid Systemd and PulseAudio. Because
all the major distros use them, the support, development and documentation for
!systemd has died off radically :(

~~~
Jach
12 years here. I finally let pulse back on my system a year or two ago when
after enough upgrades (notably Firefox) my sound config went from perfectly
fine for years to unreliable. At least pulse is better now. And more stable
than the version I have to use on work machines (ubuntu). No dependencies on
systemd required, though, that project will never be installed. OpenRC is
great, and it's simple enough that it doesn't need any team of paid devs
figuring out how to cram more features into it.

------
tyingq
Also see _" systemd-resolved does not keep the order of the DNS servers"_ for
another irritation with systemd-resolved:

[https://github.com/systemd/systemd/issues/5755](https://github.com/systemd/systemd/issues/5755)

And... _" systemd-resolved does not use DNS for local resolution"_

[https://github.com/systemd/systemd/issues/6224](https://github.com/systemd/systemd/issues/6224)

------
zwischenzug
I got so fed up with debugging DNS issues on Linux I ended up writing this
series of posts:

[https://zwischenzugs.com/2018/06/08/anatomy-of-a-linux-
dns-l...](https://zwischenzugs.com/2018/06/08/anatomy-of-a-linux-dns-lookup-
part-i/)

[https://zwischenzugs.com/2018/06/18/anatomy-of-a-linux-
dns-l...](https://zwischenzugs.com/2018/06/18/anatomy-of-a-linux-dns-lookup-
part-ii/)

[https://zwischenzugs.com/2018/07/06/anatomy-of-a-linux-
dns-l...](https://zwischenzugs.com/2018/07/06/anatomy-of-a-linux-dns-lookup-
part-iii/)

[https://zwischenzugs.com/2018/08/06/anatomy-of-a-linux-
dns-l...](https://zwischenzugs.com/2018/08/06/anatomy-of-a-linux-dns-lookup-
part-iv/)

and I haven't even covered caching.

------
AJRF
I just recently came across this in Ubuntu and was astounded that it's allowed
to be this way. I think this kind of behavior will become more and more
prevalent once one util is allowed to do it.

It leads us on a path where daemon authors don't allow us to override the
settings to suit us, rather to kept them controlled to suit them.

The arrogance sets a very bad precedent.

~~~
sverige
The arrogance has been there since the start of systemd. It's not just a
comment on a particular personality, either, but rather on the general
attitude as demonstrated by design decisions.

I think it helps to think of it as making Linux more like Windows, with all of
the plumbing hidden from the user and difficult to tweak by the administrator.
"Why would you need to, anyway? We've already taken care of that for you."

~~~
glennpratt
That's rich considering that I regularly use systemd override files with no
issue instead of having to hack garbage init scripts filled with bugs.

------
g45y45
You really want to do this if you use Spectrum Cable. You are locked out of
configuring the DNS settings via their cable modems (even if you supply your
own). These force a DNS search suffix that leaks all DNS requests to their
server, even if you are using another public DNS. I noticed network manager
kept forcing the DNS search suffix, even after I manually disabled it. I did
the config change to disable it messing with the resolv.conf

~~~
vetinari
You can easily configure Network Manager to ignore anything from the DHCP,
including DNS (properties ipv4.ignore-auto-dns and ipv4.dns* on your
connection).

~~~
newman314
Sound like a good reason for DoH

~~~
vetinari
DoH cuts both ways, so be sure you know what are wishing for.

Yes, it allows you to prevent your ISP manipulating your DNS. Your ISP has no
way to know when you are resolving, because it is masked in other HTTPS
traffic.

But it also allows the apps to prevent you from manipulating their DNS. You
don't know when an app is ignoring the resolver you configured system-wide,
because it is masked in its HTTPS traffic.

There is a worrying trend that apps (browsers especially) are ignoring
whatever you configured in your system, and are becoming basically a blackbox
outside your control with a wide open connectivity to the Internet. No
explanation needed, what that means for any privacy left.

------
deathanatos
I use a custom resolv.conf. Really, the biggest problem is airports: some want
you to go through a captive gateway, but the captive gateway's domain is not
publicly registered, so if you're using 8.8.8.8 or similar, it fails to
resolve. Leads to an annoying trip to resolv.conf (well, resolvconf.conf in my
case) to tell it to use the DHCP settings, run through the portal, and then
flip back.

(And like, is it really that hard to register your captive portal's name
globally, and just let me use a global resolver to get to it? IDK if they're
concerned about DNS tunneling, but this happens even on "free" WiFi (where
free might mean "watch this ad", which honestly is fine w/ me.))

~~~
JoshTriplett
> Really, the biggest problem is airports: some want you to go through a
> captive gateway, but the captive gateway's domain is not publicly
> registered, so if you're using 8.8.8.8 or similar, it fails to resolve.

Ideally, the software detecting captive portals on a network and presenting
their login page should also use the network-provided DNS server solely to
resolve the captive portal domain _if_ it doesn't resolve with the preferred
resolver. That would solve this case.

(Also, ideally, captive portals would serve up a URL using DHCP options and
_not_ capture traffic.)

------
amaccuish
On my domain controllers (where I absolutely cannot have anyone touching the
conf), I just chattr +i /etc/resolv.conf.

That prevents anything, even root, from changing the file, unless chattr -i is
called first.

~~~
ktpsns
Wow, I wasn't aware of the chattr command at all. Here is a list of available:
[https://en.wikipedia.org/wiki/Chattr](https://en.wikipedia.org/wiki/Chattr)

Apparently, they are very file system specific. That's why they are not widely
used. I guess a chmod 0444 would not do it, as system tools tend to "fix"
wrong permissions automatically (but not permissive attributes).

~~~
j7k6
I use `chattr +i` with NFS mountpoints for backups, it prevents the local
harddrive from filling up when a network share fails to mount on boot.

~~~
muxator
Totally. If something is meant to be a mount point, a chattr +i on the
underlying directory is a godsend, because it gives you an immediate error in
case the mount should fail for whatever reason.

------
smilesnd
I miss the days when I didn't have to worry about outside programs changing my
configs without my knowledge.

~~~
ktpsns
Isn't it great to have the choice wether some tool manages the system or one
does it manually? Thanks GNU/Linux, thanks all the Linux distributions
maintained by hundreds of volunteers!

~~~
rconti
I got the opposite out of this post; not only do RH/Cent use hellish network
middlemen, but other distros have their own fresh hells. Is there really a
choice that doesn't commandeer your configs?

Standard practice for me was to rip out every last shred of NetworkManager on
every fresh build, but I didn't realize how many other utilities broke the
resolver config as well.

~~~
subway
What's wrong with Network Manager? I've yet to find a better tool for managing
wired, wireless, vpn, and mobile broadband anywhere as well as NM. Sticking
with the theme of the original post, NM combined with unbound and dnssec-
triggerd is downright amazing. Your vpn connection passes down a nameserver
and search zone? Bam, NM pushes that into unbound, and now queries for your
vpn domain go to the vpn resolvers, and your other queries go out to whatever
you set for your default resolver.

To be fair, in that particular config, resolv.conf never changes as it always
points to loopback, with your preferred nameservers only existing in memory in
unbound, and in network manager's config.

~~~
bubblethink
>What's wrong with Network Manager?

It's opaque and hard to debug. It may have utility on laptops, but on servers,
it is absolutely counterproductive. I could not for the life of me figure out
what it was doing w.r.t ipv6 prefix delegation and how it was dealing with
dhclient6 internally. My leases would expire but not renew. Eventually, I had
to rip it out and create simple configs by hand that work well.

~~~
subway
I'll grant you that it's extremely _different_ from static network configs,
but it's far from opaque. If anything having all the logging under NM can make
troubleshooting a pleasure `journalctl -f -u NetworkManager` is a godsend.

I'll also agree that the benefits on a server are next to non-existant, but at
the same time it's just a default that's trivial to turn off, and I could
probably count on one hand the number of times it's bitten me while building
and deploying tens of thousands of hosts over the last 15 years.

It's a tool I've learned to love on my workstations, and rarely even notice on
production systems.

~~~
rconti
Disagree. I've "disabled" it in policy countless times, and been bitten in the
ass by it re-enabling itself countless times. The only thing that works is
deleting it entirely. After the umpteenth troubleshooting session, only to
find out "oh, it's that thing again? That thing we keep trying to make go
away?" I'm not going to spend one more minute trying to figure out how I could
keep from hurting its feelings.

~~~
subway
It sounds like you don't understand the tools you use, and have no interest in
learning them. NetwokManager (just like any other daemon) cannot "re-enable"
itself. It's possible if you were on an Debian derived host that package post-
install scripts enable the service (as is the case with all services on Debian
derived distros due to packaging policies. The _right_ way forward here is to
indeed remove the package if you aren't using NM. Or better yet, get a better
grip on the packages you install in the first place, and just don't install NM
to begin with.

If you're on a RH or Arch derived distro, policy is just the opposite, and if
the service is ever magically enabled (aside from Anaconda enabling it after
the package was selected at install time), it's a _massive_ bug (I can't find
any such bug report in Arch or Fedora).

~~~
bubblethink
systemd's dependency logic about what is enabled or disabled is not
straightforward. For example, I disable buetooth on general principle, and yet
it gets enabled (as in activated) in some scenarios due to other stuff
depending on it (i think something in gnome does). "systemctl is-enabled
foo.service" is not a guarantee about anything. Something else can still start
the service without the user's authorization.

~~~
JdeBP
> _enabled (as in activated)_

Not understanding the difference between these is likely part of the problem
here.

~~~
bubblethink
It's not really the user's fault though. If you really want to make sure that
something else doesn't start it, you need to mask the service. But then, you
can't start it either. What you really need is "disabled unless I start it". I
don't think there is a state like that.

------
NelsonMinar
Along these lines, netplan in Ubuntu is seriously confusing. That's the set of
scripts that rewrites most of your network config in /etc with stuff generated
from some new set of YAML config files. I'm willing to believe netplan is a
Better Way to configure networking, but the kludge of having it rewrite long-
understood config files in /etc is really awful.

~~~
isostatic
I tried to get on baord with netplan, I really did. I thought it was a redhat
inspired systemd-esque invasion.

Turns out it's an 'upstart' type ubuntu crapfest that's unlikely to survive as
long as 20.04.

I wouldn't mind, but the very first machine I tried to configure with it was
an ntop machine, I wanted 2 interfaces to come up with no IPs attached. Turns
out it's not possible.

~~~
jandrese
I ran into Netplan with an 18.04 server install and the whole time I was
asking myself why this was better than the old system.

------
throw2016
How is designing for laptop networking for a system predominantly used as a
server with marginal desktop market share justified. Why not roll out
something discrete for the negligible percent of laptop users instead of
imposing configuration overhead on all users?

Debian prides itself on stability but voted for an 'init' that is rapidly
changing with unlimited scope outside the purview of Debian. Thus we have a
lot of extremely questionable networking functionality like 'predictable
network names' and more just rolled out and 'imposed' on everyone without
discussion, debate or technical scrutiny by a single group.

Alpine Linux servers and VMs boot in seconds and are easy to configure and
use. Void is equally fast for desktop users. The real problem seems to be a
lot of developers are unfamiliar with the shell and its extensive use in
everything from the system to the apps ecosystem. And we are left with a
situation where the shell is demonized by people who are not familiar with it.

------
sly010
This seems backwards.

I don't feel strongly about networkd or NetworkManager either way, but I am
curious on the meta-debate. I am personally a fan of the modernization of the
linux userspace in the last 10 years (systemd, wayland, networkmanager), but I
also understand that the puzzle pieces don't always fit together. However the
argument against new things always seems to come down to "not what I am used
to".

Other than tradition what is wrong with explicitly configuring NetworkManager
to configure /etc/resolv.conf "my way" instead of going behind it's back. Does
it not have a "DNS Server: manual" option?

~~~
nisa
I'm only a bystander in this fight but this is dishonest:

> However the argument against new things always seems to come down to "not
> what I am used to".

For me it's always: I can't debug this. I remember installing RHEL 7.0 just
after release and nmtui crashing on me with some weird problem in glib when
setting a hostname using it. I also remember trying to debug openvpn in
network manager
([https://i.imgur.com/zbaRcST.mp4](https://i.imgur.com/zbaRcST.mp4)) and both
of these are beaten paths...

I'm able to somehow get around most shell scripts but when something crashes
in C land on a customer box - what a PITA! It's not impossible but the amount
of work I have to invest is just sooo huge. I remember yelling at reddit about
some gnome stuff - and I've got a link to several powerpoint presentations...
give me technical documentation not powerpoints and give me tools to
troubleshoot that shit. No strace should be a last resort and not your goto
tool: [https://blog.uberspace.de/systemd-error-getting-authority-
ko...](https://blog.uberspace.de/systemd-error-getting-authority-kohoutek/)
(link in german, but google translate should work)

~~~
spc476
Having used Unix since 1989 and basically, everything related to Unix admin
changes every 10 years. I'm tired of it. And I relish the fact that in twenty
years, this year's set of hipster devop admins calling me a neckbeard will be
screaming "get off my lawn" at the constant arbitrary changes this industry
seems love.

------
jedisct1
Removing `systemd-resolved` is often enough, but like many, `chattr +i
/etc/resolv.conf` is also the next trick I do.

------
xfitm3
I think NetworkManager only exists because wpa supplicant is difficult to use.
I loathe networkmanager.

~~~
microcolonel
NetworkManager is convenient, especially for bringing up the kinds of bridged
connections, virtual NATs, etc. that ordinary power users often want but don't
believe they can achieve. And of course, you have every option not to use it,
or to improve it, or to propose your own replacement.

~~~
fernandotakai
at least for me, configuring vpns on network manager is a LOT simpler than
doing by config files.

------
rawoke083600
It miss just having to "know" about /etc/resolv.conf for DNS. Now (years
later) I feel I always have to google magic-recipes to get my DNS to work :(

------
kingo55
Hands down the most annoying defaults on Linux.

Being an OS for nerds, I'm surprised NetworkManager doesn't handle for manual
updates to resolv.conf

~~~
peterwwillis
If you manually change something, how is it supposed to handle it? Notify the
user and ask them to accept the change? But NetworkManager changes the file
based on each network. So it'd have to ask you every time you connected to any
network. And what do you do until the user accepts the change? Default to
nothing? That would break any headless box where resolv gets accidentally
overwritten.

The simple solution is, make your manual overrides through NetworkManager, or
don't use it.

~~~
subway
NM doesn't _always_ change resolv.conf. This entirely depends on the dns
backend. If it's set to use dnsmasq, systemd-resolved or unbound as a dns
backend, it never touches the file, instead passing nameservers in to the stub
resolver dynamically.

[https://wiki.gnome.org/Projects/NetworkManager/DNS](https://wiki.gnome.org/Projects/NetworkManager/DNS)

------
adevx
I always edited this file than used

    
    
      chattr +i /etc/resolv.conf 
    

to prevent further modifications.

------
johnklos
Does this need to be updated, or is what's in here relevant for the latest
round of Ubuntu changes?

~~~
d2wa
It’s up to date.

------
keybuk
We had a great plan somewhere around Ubuntu intrepid or jaunty that rather
than have apps rewrite /etc/resolve.conf, we'd leave it as a static file and
have a "nameserver dynamic" type config in there.

ie. sensible default for many people, but super easy to override

------
purplezooey
I laughed at the title. I've been surprised every time I open resolv.conf
lately it says "do not edit!".

------
blattimwind
Using the immutable flag, of course.

------
nydel
it's only recently that the updates on ubuntu and other systemd'd linux
distributions have been frequently writing resolv.conf.

the suspicion that a user is so incapable of having already set DNS servers is
so strong that whatever-is-doing-this doesn't even bother to ask if or check
whether the resolv.conf file is different from default.

this seems a little too critical of, possibly insulting to the intelligence
of, people who use these versions of linux.

------
StreamBright
Alpine for the rescue. Seriously, there must be something super broken with
Linux if this article exists.

~~~
swiley
Alpine is definitely the most sane distro at the moment. I just can't
recommend it to my friends because I find myself having to compile anything
that isn't super common, and of course nothing that needs glibc works (which,
is acceptable to me because I do prefer the smaller libc but some people might
really dislike it.)

~~~
AnIdiotOnTheNet
> I find myself having to compile anything that isn't super common

Yes well, that's what happens when package managers, with their dependence on
maintainers and whatnot, are your culturally lauded software distribution
method.

