Set DHCP to not update resolv.conf


 

DHCP is set by default to update resolv.conf from the DHCP server. In some cases, this is not desirable. In my case, I have public IP's on some machines, but want the machines to communicate via a private LAN for moving large amounts of data internaloly, without messing with the external interface.

 

In this case, I set a public static IP on one NIC, and the second NIC connects to a LAN and gets its address via DHCP. This is not secure; anyone cracking one server can then use the LAN to attack the other servers, so you must keep security on both sections. However, it is convenient and, as long as security is set up on both NIC's, not immensely less secure.

 

The problem is, when DHCP client is run, by default it updates WINS, DNS, gateway and IP. DNS is updated by overwriting resolv.conf, meaning my static external setup has no effect.

Best Solution

 The best solution I have found is based on https://wiki.debian.org/NetworkConfiguration#DHCP_Client_Configuration. You simply modify /etc/dhcp/dhclient.conf by uncommenting lines 

prepend domain-name-servers
supersede domain-name

and filling out the correct information.

Optionally, in the same file, you can create a stanza for a per-interface configuration. Something like

lease {
   interface "eth2";
   option domain-name-servers 192.168.0.1;
}

Don't forget the "s" at the end of servers. This will say "for interface eth2, set the name servers to 192.168.0.1. When eth2 is now brought up, it will always use 192.168.0.1 as its entry into resolv.conf.

It would be better if you could change the request parameter in the lease clause, but I haven't been able to get that to work.

Another Way

The other solution I found was to create a script which overrides DHCP's make_resolv_conf function, replacing it with a null function that does nothing. I found an excellent article at http://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/ that had three solutions, and of those I chose one which is described below, modified for Debian Wheezy by creating a symbolic link from /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate to /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate.

 

First, create a file in /etc/dhcp3/dhclient-enter-hooks.d/ which contains a null definition for the make_resolv_conf function. The article mentioned above called it nodnsupdate, so that is what I called it, though you can call it anything. It should have the contents:

#!/bin/sh
make_resolv_conf(){
    :
}

 

Now, make the file executable and then create a symbolic link to /etc/dhcp/dhclient-enter-hooks.d/ (again, file name doesn't matter, I just called it nodnsupdate).

 

Take down the DHCP interface, modify /etc/resolv.conf however you want, and bring up the DHCP interface. In my case, it was on eth1, so simple ifdown eth1, edit resolv.conf, ifup eth1 worked just fine.

 

From now on, DHCP will update your route, address and subnet, but not touch your resolv.conf.

 

Note: if you want the DHCP to be a secondary router, define the DHCP enabled NIC as the physically second definition in /etc/network/interfaces.

 

Following six lines will do the whole thing. As root, copy/paste to the CLI on the server(s) in question.

 

echo '#! /bin/bash' > /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate
echo 'make_resolv_conf(){' >> /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate
echo ' :' >> /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate
echo '}' >> /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate
chmod +x /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate
ln -s /etc/dhcp3/dhclient-enter-hooks.d/nodnsupdate /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
Last update:
2016-08-21 22:06
Author:
Rod
Revision:
1.3
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.

Records in this category

Tags