On 30/09/2020 05:53, Ralph wrote:
Hello!
[os Leap 15.2, xfce, Network Manager, Firefox 78.3.0esr, IPV4 only]
A (probably totally ignorant) DNS question: which resolver(s) will this system be actually using?
If you mean your Linux system then that's defined by the machine's /etc/resolv.conf and the /etc/nsswitch.conf The C level routine to get host by name starts by looking at /etc/nsswitch.conf. I have mine set to hosts: files dns networks: files dns so I can over-ride specific sites. My /etc/resolv.conf reads nameserver 127.0.0.1 which means that I use a locally defined nameserver, in this case 'dnsmasq', which doe a large number of smart things including integrating the dynamics entries for DHCP in a much easier manner than BIND. Your needs might vary. Oh, and does good security stuff without the crypto stuff that BIND needs. much easier to manage :-) Of course you might mean something different when you talk of 'SYSTEM". We often encounter problems with language imprecision here.
A system has an Arris SURFboard cable modem, SBG7400AC2. This is a AC2350Mbps combined router/modem. Though it's owned, the ISP can and does change the firmware not so infrequently (docsis 3).
Ah, "SYSTEM". But your applications on you Linux hosts don't know anything about this. As far as they are concerned it's irrelevant. If your applications use the standard C library then they use gethostbyname(3) and that goes vis nssswitch.conf/resolv.conf Now it *IS* possible to configure your nameserver to be your router, in which case whatever your ISP has set or you have over-ridden, comes into play. Is that how you have your /etc/resolve.conf set up?
This modem has a firmware option to turn off the ISP's two resolvers and enter my own resolvers (up to three) but doing so is flakey: change it, save/reload, and the ISP's resolver addresses return to the display.
OUCH. So this isn't a recommended router. Does your ISP allow any other DOCIS3 compliant router. There are some nice, capable ones I around.
In frustration I removed it from the power line. I got busy with something else and didn't get back to this for about 6 hours. Plugged in the power and, hello, my own resolver addresses were now displayed in the 'change resolver' section as the current running set. Good. But the section of the router/modem firmware that displays the current 'System Information' still displays the ISP's resolvers.
OUCH. So you don't know what to believe.
Network Manager's gui (right-click) 'Connection Information' displays my chosen resolvers in the order I set them in the modem/router firmware.
Wait! Are you talking about 'Network Manager' on the router or on Linux?
In dhclient.conf I have a 'prepend domain-name-servers' with the wanted resolvers (in reverse order so I can tell effect if any) but it appears this isn't being imposed.
I presume you are talking about /etc/dhclient.conf on your Linux host. So we are talking about DHCP now, not DNS. That drags in a who new can of worms. personally I see this as an irrelevancy to what we are discussing. That you're concerned with it makes it clear you don't understand how your host does name resolution and management of same.
In Network Manager's gui 'Edit Connection / Editing ... / IPV4 Settings / Additional DNS servers' I have not added anything, but here's another place to set resolvers.
Yes, and there's Yast as well. But while the NetworkManager keeps its own record of what it has done, it is YetAnotherFrontEnd to putting entries into /etc/resolv.conf You can also use such font ends to /etc/resolv.conf and /etc/nsswitch.conf and /etc/hosts and /etc/networks and /etc/ethers as VI, GVIM, ED, KATE, NEDIT, GEDIT, and many more that achieve the same ends as YaST and NetworkManager, but without the consistency checks. Never the less, some of us favour that technique over the GUI.
I'm wondering if the ISP's docsis tinkering may be the final overriding one (he who controls the firmware controls the world...)
I suppose it is possible that there is code in the router, not so very different from the code the US state department claims is in the Huawei routers, that intercepts certain addresses or protocols and redirects them. This would, of course, be an invasion of privacy and would break the function of the Internet. I can't think of way to test all possible second, third and lower tier DNS servers by address, but it is easy enough to test outgoing DNS queries. Set up you own external server that 'fakes out' a query to port 53/UDP using 'netcat'. if DNS queries are being intercepted & redirected then it won't get to you fake server. -- “Reality is so complex, we must move away from dogma, whether it’s conspiracy theories or free-market,” -- James Glattfelder. http://jth.ch/jbg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org