Fedora13: resolv.conf, dnsmasq and ppp

chillicane · #1 20th July 2010, 02:48 AM

Ive recently setup a box with 2 network cards as a firewall/router using fedora 13. Im using pppoe to connect to the internet (ppp0 interface)

I want to start using dnsmasq as a dns server for my lan but i have a curious issue with ppp0 and the ISPs dns servers.

In my 'ifcfg-ppp0' i have PEERDNS=yes and this successfully sets the ISPs dns entries (from dhcp) into /etc/resolv.conf.

My problem is now i want to use dnsmasq as the dns server for the local machine so i would to do the following.

1) Put 127.0.0.1 in /etc/resolv.conf
2) On ipup of ppp0, get it to write the nameserver entries to a different file
3) Tell dnsmasq to use that file instead of resolv.conf for upstream dns

Ive examined the ipup and ifup scripts and done a google search and there is reference to it also being written to /var/run/ppp/resolv.conf - this is correct but it also always overwrites /etc/resolv.conf

2 Solutions that ive considered are:
1) Make /etc/resolv.conf non-writable with permissions - not sure if this would cause issues elsewhere
2) Hard code the nameserver address for my ISP in the dnsmasq config and turn off PEERDNS in the ppp0 config - sounds great, until my isp changes their dns server ips.

If those two are my only options then so be it, but since this surely must be a fairly common configuration (1 box for ppp and dns server) i thought i would ask before giving up.

Please let me know if more detail is required.

vallimar · #2 20th July 2010, 02:06 PM

Try setting PEERDNS=no and see if it still writes to /var/run/ppp/resolv.conf without overwriting the etc one. If so, just point dnsmasq to the other. Otherwise, you can make /etc/resolve.conf immutable using chattr and it won't be overwritten.. changing regular permissions won't prevent it being overwritten since that is processed as the root user.

jpollard · #3 20th July 2010, 02:58 PM

That shouldn't make any difference.

I configured my /etc/resolv.conf file to have my local server (a nameserver 192.168.0.8
entry. When dhcp configures the network, it appends my entries to theirs, and replaces
the file. When the network is disabled, the extra lines (at the beginning) are removed.

stevea · #4 20th July 2010, 04:56 PM

Quote:

Originally Posted by chillicane

2 Solutions that ive considered are:
1) Make /etc/resolv.conf non-writable with permissions - not sure if this would cause issues elsewhere
2) Hard code the nameserver address for my ISP in the dnsmasq config and turn off PEERDNS in the ppp0 config - sounds great, until my isp changes their dns server ips.

1) is a sledgehammer solution, and should never be used. Yes you can use the file access system to prevent resolv.conf updates, but then programs that try may crash or exhibit odd behavior.

2) *IF* you use the redhat network scripts ,then you have to set PEERDNS=no to prevent dhclient from updating resolv.conf . You have no choice there.

You could modify dhclient-script to save the resolv.conf file elsewhere.
You could cause dhclient to be run with -sf specifying a new script
You should be able to set the DHCLIENTARGS="-sf my-dhclient-script" to implement.

Looks like a well known problem and Fedora Buggers are in denial.
https://bugzilla.redhat.com/show_bug.cgi?id=304611

chillicane · #5 20th July 2010, 10:57 PM

Thanks for all your replies.

Setting PEERDNS=no indeed does not update the /var/run/ppp/resolv.conf file. That would have been the desired outcome. It seems as tho the network scripts are setup for all or nothing.

Also i felt the same about fiddling with resolv.conf permissions as stevea - it didnt seem right to have to change something so fundamental like that.
As for your dhclient suggestions, this is where my linux knowledge starts to waver.
As far as i can tell, dhclient is not being used at all on this environment. The only dhcp client is on the ppp interface to recieve a dynamic IP from my ISP, and from what i can see, dhclient isnt involved in that at all. I could be completely wrong tho of course.

There is an example script for ppp in the docs which is a ip-up.local (/usr/share/doc/ppp-2.4.5/scripts/ip-up.local.add) which might be useful if i can get the nameserver information from dhcp to write somewhere else. Im not afraid to get dirty with scripting if its going to be viable.