Loading...
X

How to prevent NetworkManager and other programs from modifying the /etc/resolv.conf file

The /etc/resolv.conf file contains a list of DNS servers that are used to resolve hostnames to IP addresses.

NetworkManager, which is responsible for making network connections, automatically changes the contents of this file. The replacement takes place without notifying the user and can lead to unpleasant consequences – for example, causing a DNS leak, which negatively affects anonymity. It can also disrupt your own caching DNS server.

In addition to the option not to use NetworkManager at all, you can specify in the settings of this program a prohibition on changing the /etc/resolv.conf file.

To do this, open the file /etc/NetworkManager/NetworkManager.conf:

sudo gedit /etc/NetworkManager/NetworkManager.conf

and add the dns=none line to the [main] group. If the [main] group is missing, then add the following lines:

[main]
dns=none

Restart NetworkManager:

sudo systemctl restart NetworkManager

Make a backup copy of the /etc/resolv.conf file:

sudo cp /etc/resolv.conf /etc/resolv.conf.backup

And then remove /etc/resolv.conf (this is important because it might be a link to a file, not the actual file):

sudo rm -f /etc/resolv.conf

And create a file /etc/resolv.conf with the content you want.

Modifying the /etc/resolv.conf file is prohibited for NetworkManager, but the /etc/resolv.conf file is still overwritten

Unfortunately, besides NetworkManager, other programs can overwrite the /etc/resolv.conf file, and they do it silently, without displaying any warnings.

In my practice, this program turned out to be create_ap, launched without the --no-dns option. This program, or the dnsmasq it uses, overwrites the /etc/resolv.conf file without displaying any warnings or restoring it to its original state.

It is possible to make a complete ban on changing the /etc/resolv.conf file for all programs.

First, make sure it's a real file and not a symbolic link:

ls -l /etc/resolv.conf

If it's a symbolic link, remove it:

sudo rm /etc/resolv.conf

Then re-create the /etc/resolv.conf file with the values you want.

To completely disable editing the /etc/resolv.conf file (even with superuser rights), run the command:

sudo chattr +i /etc/resolv.conf

If you need to edit this file, run the command:

sudo chattr -i /etc/resolv.conf

How to find out which process is modifying the /etc/resolv.conf file

Install the auditd package, then run the commands:

sudo auditctl -w /etc/resolv.conf -p wa
sudo systemctl start auditd.service

To view the log entries, run the command:

sudo ausearch -f /etc/resolv.conf

For details, see the article “How to find out which process is modifying a file”.


Leave Your Observation

Your email address will not be published. Required fields are marked *