Using Unbound setup to allow for local DNS resolution, how to prevent /etc/resolv.conf from being change by Network Manager

I’ve been reading posts at https://wiki.archlinux.org/index.php/Unbound to configure my Manjaro Gnome Linux install to use local DNS resolution.

I tried the two following options, but I do continue to see Network Manager overwrite the /etc/resolv.conf file:

(1) chattr +i /etc/resolv.conf

(2) Putting the preferred dns of 127.0.0.1 in the /etc/systemd/resolved.conf file but I notice the /etc/resolv.conf file continues to be over written by Network Manager. Maybe this is expected?

That being said, I found the following solution. I’d like to get some feedback on whether this is the best option for someone using Manjaro:

By default, NetworkManager Linux dynamically updates the /etc/resolv.conf file with the DNS settings from active NetworkManager connection profiles. This section describes different options on how to disable this feature to manually configure DNS settings in /etc/resolv.conf .

(1) Create the 90-dns-none.conf configuration file.

sudo touch /etc/NetworkManager/conf.d/90-dns-none.conf

(2) Add the following text to the 90-dns-none.conf file.

sudo nano /etc/NetworkManager/conf.d/90-dns-none.conf

[main]
dns=none

(3) Update the /etc/resolv.conf file to use local system for DNS resolution

sudo nano /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
options trust-ad

(4) Restart the Network Manager

systemctl reload NetworkManager

Source:

https://wiki.archlinux.org/index.php/Domain_name_resolution#Overwriting_of_/etc/resolv.conf

Never do this.
sudo is not for gui applications.

Otherwise your stuff looks like it might be alright. I think maybe some of your confusion might have come from systemd-resolved ? In any case, a lot of what you wrote above depends on your resolve method.
(openresolv vs systemd-resolved , systemd-resolvconf)

Synce I use dnscrypt-proxy since long time, If I recall correctly, I solved by editing /etc/NetworkManager/conf.d/dns.conf

And adding, under the [main] section, the following entry:
dns=none

Reference: NetworkManager - ArchWiki

Try using systemd-resolved - ArchWiki .
It is recommended to do: sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
And afterwards: systemctl enable --now systemd-resolved

After this you can check your resolver settings using: resolvectl status

Thank you for your solution. The reason I did not choose this option originally was the issues with DNSSEC support:

Source:

https://www.phoronix.com/scan.php?page=news_item&px=F33-systemd-resolved-Sticks

https://bugzilla.redhat.com/show_bug.cgi?id=1879028

@D.Dave @cscs

I used the following command to verify that I am using openresolv:

systemctl status systemd-resolved.service

systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-resolved.service(8)
https://www.freedesktop.org/wiki/Software/systemd/resolved
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

Technically my goal is to choose the the best method to support Unbound setup with DNSSEC setup. I’m doing some more reading here to see I can figure out what works best with openresolv\Unbound:

https://roy.marples.name/projects/openresolv/configuration.html#dnsmasq

If I should be using D.Dave recommendation, please chime in :slight_smile:

Try it out and check ; you are always able to switch back :mobile_phone_off::grin:

Hi Dave,

I think the reason I was having doubts is reading this (Unbound - ArchWiki):

Make sure to protect /etc/resolv.conf from modification as described in Domain name resolution#Overwriting of /etc/resolv.conf.

Tip: A simple way to do this is to install openresolv and configure /etc/resolvconf.conf :

/etc/resolvconf.conf

name_servers="::1 127.0.0.1" resolv_conf_options=“trust-ad”

Then run resolvconf -u to generate /etc/resolv.conf .

So this is why originally I had thought I did not have to do anything to prevent Network Manager from overwriting the file. Then when the file changed I ended up finding the Redhat solution.

I gave the below solution a try but in this case Network Manager completed cleared all the contents in the resolv.conf.

Note that before I tested this solution I:

(1) Delete my “/etc/NetworkManager/conf.d/90-dns-none.conf”

(2) Rebooted my system.

(3) Made sure /etc/resolvconf.conf file had the right contents.

(4) Ran “sudo resolvconf -u” to update the /etc/resolv.conf file.

(5) Then verified the correct configuration was in the /etc/resolv.conf

I followed the Great Arch Wiki’s suggestions (and also, meticulously verified to suite my needs), to avoid the overwhelming of /etc/resolv.conf by NetworkManager, Independently from specifical needs.

As the title of your topic states, you asked how to prevent/stop NetworkManager from touching /etc/resolv.conf.

Furthermore, doing a chattr on a system file, is discouraged.

Anyway, despite your specific needs, keep in mind that, when any modification of the system is done, other than keeping track of editings, is a good practice take a back up of every involved file and command.

Thanks D Dave. When you work in the IT industry well check-ins and backups are our thing. The big picture for me here is making sure at the end of this discussion that other end users can have 1 complete solution.

That being said I think the group of us can agree a number of factors can cause the /etc/resolv.conf to be modified. I re-implemented the “/conf.d/90-dns-none.conf” file and noticed Network Manager blew away my resolv.conf too.

So i decided to re-do my suggested solution from the very beginning and that did not blow away resolv.conf. The missing step was “systemctl reload NetworkManager”. It makes me wonder whether we use your or my solution with this additional step whether this would make all the difference? How does a regular end user would figure this one out, could one of our solutions be deprecated? Seems to be proof of how results between systems and end uses can be inconsistent.

Thanks again everyone for your help.

1 Like

Final Solution

Note:

  • Assume your system is using openresolv to manage your /etc/resolv.conf file.

By default, NetworkManager Linux dynamically updates the /etc/resolv.conf file with the DNS settings from active NetworkManager connection profiles. This section describes different options on how to disable this feature to manually configure DNS settings in /etc/resolv.conf .

(1) Create the 90-dns-none.conf configuration file.

sudo touch /etc/NetworkManager/conf.d/90-dns-none.conf

(2) Add the following text to the 90-dns-none.conf file.

sudo nano /etc/NetworkManager/conf.d/90-dns-none.conf

[main]
dns=none

(3) Update the /etc/resolv.conf file to use local system for DNS resolution

sudo nano /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
options trust-ad

(4) Restart the Network Manager

systemctl reload NetworkManager

Source:

Red Hat Customer Portal

Chapter 29. Manually configuring the /etc/resolv.conf file Red Hat…

The Red Hat Customer Portal delivers the knowledge, expertise, and guidance available through your Red Hat subscription.

https://wiki.archlinux.org/index.php/Domain_name_resolution#Overwriting_of_/etc/resolv.conf

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.