# forbid dhclient changing resolv.conf



## nekoexmachina (Jun 21, 2010)

How do i forbid resolv.conf change by dhclient on boot?


----------



## anomie (Jun 21, 2010)

You can deduce the needed options from dhclient.conf(5) (and its related documentation), or you can make resolv.conf system immutable using chflags(1).


----------



## nekoexmachina (Jun 21, 2010)

> You can deduce the needed options from dhclient.conf(5) (and its related documentation),


Thank you. Solved.


----------



## SirDice (Jun 22, 2010)

Create a file called /etc/dhclient-enter-hooks and add this:

```
add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}
```

That will prevent /etc/resolv.conf being overwritten as it 'overloads' the function of dhclient.


----------



## tzoi516 (Jan 31, 2014)

*Re:*



			
				SirDice said:
			
		

> Create a file called /etc/dhclient-enter-hooks and add this:
> 
> ```
> add_new_resolv_conf() {
> ...


Is this still necessary with FreeBSD 10?


----------



## wblock@ (Jan 31, 2014)

Only if the DHCP server is handing out the wrong DNS server addresses.


----------



## tzoi516 (Jan 31, 2014)

The DHCP server is passing the ISP server addresses, which are fine for most workstations on the network. However, for a couple laptops, security-wise, I need to keep them static.


----------



## SirDice (Feb 1, 2014)

Yes, you still need it on FreeBSD 10.0. There are no changes in this respect with the previous versions.


----------



## tzoi516 (Jun 2, 2014)

*Re: Re:*



			
				tzoi516 said:
			
		

> SirDice said:
> 
> 
> 
> ...


Would this be a better solution?

```
chflags schg /etc/resolv.conf
```


----------



## jrm@ (Jun 2, 2014)

Another option is to tell dhclient what not to mess with in /etc/resolve.conf by putting something like this in /etc/dhclient.conf

```
supersede domain-name-servers 127.0.0.1;
supersede domain-name "mydomain.org";
```


----------



## kpa (Jun 2, 2014)

*Re: Re:*



			
				tzoi516 said:
			
		

> tzoi516 said:
> 
> 
> 
> ...



No, the configuration file is there to be edited. Use it.


----------



## tzoi516 (Jun 3, 2014)

I got the idea from the BSD Now DNS Crypt tutorial, and that was done. Thought it would apply to this as well.


----------



## wblock@ (Jun 3, 2014)

That's what I used to do.  It still seems simpler to me than adding the dhclient() function.  Usage depends on context, though.


----------



## ericx (Jul 24, 2014)

OS: FreeBSD 10.0-RELEASE-p5

I've implemented a replacement add_new_resolv_conf() within /etc/dhclient-enter-hooks as follows:


```
$LOGGER "Loading dhclient-enter-hooks"

add_new_resolv_conf() {
    # We don't want /etc/resolv.conf changed
    # So this is an empty function
    $LOGGER "Running blank add_new_resolv_conf() from dhclient-enter-hooks"
    return 0
}
```

What's frustrating is that while the first $LOGGER statement always appears in /var/log/daemon; the second does NOT appear upon reboot (and resolv.conf is trashed). That is to say: this hack works if you initiate `dhclient` by hand as root on a working command line; but it fails during boot.

Anyone with good boot-fu able to explain why dhclient-script will load the dhclient-enter-hooks file during boot but not, in fact, actually read/implement the replacement version of add_new_resolv_conf()?

Thank you for your time.


----------



## SirDice (Jul 24, 2014)

The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):

```
Before taking action according to $reason, dhclient-script will check for
     the existence of /etc/dhclient-enter-hooks.  If found, it will be sourced
     (see sh(1)).  After taking action according to $reason, dhclient-script
     will check for the existence of /etc/dhclient-exit-hooks.  If found, it
     will be sourced (see sh(1)).  These hooks scripts can be used to dynami-
     cally modify the environment at appropriate times during the DHCP negoti-
     ations.
```


----------



## ljboiler (Jul 24, 2014)

You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set 
	
	



```
resolvconf_enable=no
```
 in /etc/rc.conf.

Just a thought...


----------



## ericx (Jul 24, 2014)

SirDice said:
			
		

> The script should be sourced, regardless of when or how dhclient(8) is executed. See dhclient-script(8):
> 
> ```
> Before taking action according to $reason, dhclient-script will check for
> ...



That's what I find so fascinating and confusing. From my console.log during boot:


```
Jul 23 20:23:54 <console.info> milicent kernel: nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Jul 23 20:23:54 <console.info> milicent kernel: Configuring keyboard: keymap.
Jul 23 20:23:54 <console.info> milicent kernel: Starting dhclient.
Jul 23 20:23:54 <console.info> milicent kernel: dhclient: Loading dhclient-enter-hooks
Jul 23 20:23:54 <console.info> milicent kernel: Starting ums0 moused.
Jul 23 20:23:54 <console.info> milicent kernel: add net fe80::: gateway ::1
Jul 23 20:23:54 <console.info> milicent kernel: add net ff02::: gateway ::1
```

`syslogd` isn't running yet; so there is no corresponding entry in /var/log/user. You can see the one log entry written as dhclient-enter-hooks is sourced; but there is no subsequent log entry from within the replacement version of add_new_resolv_conf(); and /etc/resolv.conf is overwritten. 

Any time after boot, either regular lease renewal or manual stop/start of `dhclient`, dhclient-enter-hooks is sourced, the replacement version of add_new_resolv_conf() is run,  two log entries appear on the console, and /etc/resolv.conf remains untouched.


```
Jul 23 21:23:51 <user.notice> milicent dhclient: Loading dhclient-enter-hooks
Jul 23 21:23:51 <user.notice> milicent dhclient: Running blank add_new_resolv_conf() from dhclient-enter-hooks
```

/etc/resolv.conf is only overwritten during boot. [cut to Rod Serling smoking a cigarette]


----------



## ericx (Jul 24, 2014)

ljboiler said:
			
		

> You wouldn't happen to have a /etc/resolv.conf.save lying around, would you? There is a path in the dhclient-script logic where that file will be used to overwrite the contents of /etc/resolv.conf: lease expires (perhaps because the machine has been turned off for many hours and you're just booting it up) on the "default" (perhaps only) network interface and you have set
> 
> 
> 
> ...



Thanks. None of the above. 

There is no 
	
	



```
resolvconf_enable=no
```
 in /etc/defaults/rc.conf; so I was unaware of that flag. I will grep around and see what it does.


----------

