On Fri, Jul 16, 2021 at 10:35 PM Theo de Raadt <[email protected]> wrote: > We are moving from a model where dhclient on 1 interface believes it is > MASTER of /etc/resolv.conf and a bunch of system aspects, and the > userbase is familiar with a pile of hacky control knobs in > dhclient.conf. > > Towards a model where multiple interfaces + unwind can advertise their > DNS resolution abilities to resolvd, which then sorts the offers and > maintains a configuration.
On the surface this sounds good. > Anyways I'll let other people you didn't show your config to explain how > you are probably using pf incorrectly on interfaces configured with > dynamic addressing. Ah yes, my bad, had a line without the parens around the dhcp interface reference. This issue is resolved. Oddly enough it never affected many previous snapshots which used dhcpcd in place of dhcpleased. The issue with resolved is still a bit perplexing as if I allow it to run it insists on prepending my ISP nameservers to the resolv.conf file which breaks the system. Before the change: ======================== # Generated by em0 dhclient search example.com nameserver 127.0.0.1 lookup file bind family inet4 ======================== # $OpenBSD: dhclient.conf,v 1.2 2017/10/16 23:43:41 krw Exp $ supersede domain-name "example.com"; supersede domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, routers; require subnet-mask, routers; ======================== After the change with dhcpleased and resolvd: ======================== nameserver 75.75.75.75 # resolvd: em0 nameserver 75.75.76.76 # resolvd: em0 # Generated by em0 dhclient search example.com nameserver 127.0.0.1 lookup file bind family inet4 ======================== I run nsd and unbound on this system, unbound listens on the loopback and on the internal interface to serve the network, it uses stub zones to the local nsd and to a bunch of other internal network dns servers connected via site-to-site vpn tunnels. My ISP's nameservers have no clue about my internal systems or the other vpn connected internal systems that I need to resolve and there should be someway to prevent the ISP's nameservers from being force prepended to resolv.conf as the supersedes in dhclient.conf are apparently ignored. The workaround I found is resolvd_flags=NO in rc.conf.local eliminating the prepending of the ISP nameservers. If there's a more acceptable proper OpenBSD solution it would be preferred but at this point I don't see what it is. Chris
