How to prevent NetworkManager and other programs from modifying the /etc/resolv.conf file
May 16, 2021
The /etc/resolv.conf file contains a list of DNS servers that are used to resolve hostnames to IP addresses.
NetworkManager, which is responsible for making network connections, automatically changes the contents of this file. The replacement takes place without notifying the user and can lead to unpleasant consequences – for example, causing a DNS leak, which negatively affects anonymity. It can also disrupt your own caching DNS server.
In addition to the option not to use NetworkManager at all, you can specify in the settings of this program a prohibition on changing the /etc/resolv.conf file.
To do this, open the file /etc/NetworkManager/NetworkManager.conf:
sudo gedit /etc/NetworkManager/NetworkManager.conf
and add the dns=none line to the [main] group. If the [main] group is missing, then add the following lines:
[main] dns=none
Restart NetworkManager:
sudo systemctl restart NetworkManager
Make a backup copy of the /etc/resolv.conf file:
sudo cp /etc/resolv.conf /etc/resolv.conf.backup
And then remove /etc/resolv.conf (this is important because it might be a link to a file, not the actual file):
sudo rm -f /etc/resolv.conf
And create a file /etc/resolv.conf with the content you want.
Modifying the /etc/resolv.conf file is prohibited for NetworkManager, but the /etc/resolv.conf file is still overwritten
Unfortunately, besides NetworkManager, other programs can overwrite the /etc/resolv.conf file, and they do it silently, without displaying any warnings.
In my practice, this program turned out to be create_ap, launched without the --no-dns option. This program, or the dnsmasq it uses, overwrites the /etc/resolv.conf file without displaying any warnings or restoring it to its original state.
It is possible to make a complete ban on changing the /etc/resolv.conf file for all programs.
First, make sure it's a real file and not a symbolic link:
ls -l /etc/resolv.conf
If it's a symbolic link, remove it:
sudo rm /etc/resolv.conf
Then re-create the /etc/resolv.conf file with the values you want.
To completely disable editing the /etc/resolv.conf file (even with superuser rights), run the command:
sudo chattr +i /etc/resolv.conf
If you need to edit this file, run the command:
sudo chattr -i /etc/resolv.conf
How to find out which process is modifying the /etc/resolv.conf file
Install the auditd package, then run the commands:
sudo auditctl -w /etc/resolv.conf -p wa sudo systemctl start auditd.service
To view the log entries, run the command:
sudo ausearch -f /etc/resolv.conf
For details, see the article “How to find out which process is modifying a file”.
Related articles:
- How to find out which process is modifying a file (81.6%)
- How to prevent NetworkManager from managing a specific interface? (SOLVED) (57.9%)
- Where NetworkManager stores settings (SOLVED) (57.9%)
- How to remove Mobile broadband and Bluetooth connection in NetworkManager (57.9%)
- How to prioritize Wi-Fi connections in Linux (57.9%)
- How to make and submit changes to source code on GitHub (RANDOM - 50%)