Re: dns priority from different network connections - or disabling?
Stuart Henderson wrote: > There is a complication in Kaya's case because if my handle on the > config is correct, there are likely to be nameservers learned from > both DHCP (in one rdomain) and PPPOE (in another), but they won't > work on the opposite connection. > > In this situation I would disable resolvd (and for the sake of an > easy life, probably use some public resolver accessible from both > ISPs). Or, we can design a new language, write a 500 line yacc parser, and add 50K of binary to a daemon which is always running probably even a SIGHUP handler to reload the configuration, right? To allow the 1% of users to specify a POLICY. And maybe there will be a hole in all that complex code, but yolo! Or, we can say no, this is supposed to be kept simple. The 1% should not burden the 99%
Re: dns priority from different network connections - or disabling?
Kaya Saman wrote: > Like I mentioned previously, it may have had something to do with me > running: sh /etc/netstart pppoe0 a few times after the system had been > booted. I was at the time trying to make use of 2 isp's and route > accordingly per subnet or even ip address. It might have even been > triggered by my altering of the pf.conf file... they are the only two > things that I have been touching. resolv does not care about how many special route messages it receives about the DNS resolver. Each time it receives one, it will update resolv.conf to contain the newest heuristically-ordered list. > What I meant by *override* is that the default behavior that I had set > the machine up for was not being seen. The information which I have > input into /etc/resolv.conf has not changed for years. If resolvd is running, dynamically learned entries will be put at the top of the file, and the manually managed contents will be left intact below that. libc resolver semantics use the first record, and only fall through to lower entries if there are problems. > All I was trying to figure out is why the resolv.conf file was not > being used and instead the information obtained through ipcp was being > used for dns lookups. If I had caused it that's fine but I didn't > understand what I did to have caused it and was just seeking help and > advice that maybe someone might suggest things to try. resolv.conf is always used. The new addresses are placed at the top. If you don't like that, disable resolvd. But what you are trying to do here is not functional for 99% of users. > Potentially, would it be a good idea to have setting to disable the > dns or other information obtained by ipcp within the kernel ppp > codeset? I just might be in the minority here so please feel free to > ignore it's fine, I'm just thinking out loud yes we'll write such a diff JUST FOR YOU! It will contain an #ifdef kayasaman ... #endif And then you can compile a new kernel. You happy? You can consider it like a "configuration file, for the 0.001% of users who want it to act different".
Re: dns priority from different network connections - or disabling?
On 2023/04/12 13:20, Theo de Raadt wrote: > Stuart Henderson wrote: > > > On 2023-04-11, Theo de Raadt wrote: > > > Kaya Saman wrote: > > > > > >> This somehow is overriding my resolv.conf file; another words the > > >> information is *not* being used from resolv.conf and is instead being > > >> used from the ipcp negotiation as part of the pppoe kernel module. > > > > > > then the pppoe code should submit a RTM_PROPOSAL route message ... > > > > it does. > > > > i still don't see how this information can *override* resolv.conf > > But I do not understand what "override" means. resolvd intentionally > has NO MECHANISM to allow choice, the list of addresses is chosen by a > fixed internal heuristic, INTENTIONALLY without configuration knobs. > There is one knob: If one doesn't want resolvd semantics, stop the > daemon. So easy. But by default, the system runs with it, because > that means 99% of users get the semantics which satisfy 99% of > users without having to handle a configuration file. > > What I don't understand from the complaint is why that ppooe dynamic > address doesn't rise to the top of the file, because dynamic requests > of that kind always rise to the top. Therefore they get used. > > So if it isn't in the file, then something else has been broken, probably > by the user, right? > > But it is probably best to ignore this entire discussion because some > piece of configuration has been done to BREAK the default behaviour, > and then the user owns all the pieces. > > There is a complication in Kaya's case because if my handle on the config is correct, there are likely to be nameservers learned from both DHCP (in one rdomain) and PPPOE (in another), but they won't work on the opposite connection. In this situation I would disable resolvd (and for the sake of an easy life, probably use some public resolver accessible from both ISPs).
Re: dns priority from different network connections - or disabling?
On 4/12/23 20:20, Theo de Raadt wrote: Stuart Henderson wrote: On 2023-04-11, Theo de Raadt wrote: Kaya Saman wrote: This somehow is overriding my resolv.conf file; another words the information is *not* being used from resolv.conf and is instead being used from the ipcp negotiation as part of the pppoe kernel module. then the pppoe code should submit a RTM_PROPOSAL route message ... it does. i still don't see how this information can *override* resolv.conf But I do not understand what "override" means. resolvd intentionally has NO MECHANISM to allow choice, the list of addresses is chosen by a fixed internal heuristic, INTENTIONALLY without configuration knobs. There is one knob: If one doesn't want resolvd semantics, stop the daemon. So easy. But by default, the system runs with it, because that means 99% of users get the semantics which satisfy 99% of users without having to handle a configuration file. What I don't understand from the complaint is why that ppooe dynamic address doesn't rise to the top of the file, because dynamic requests of that kind always rise to the top. Therefore they get used. So if it isn't in the file, then something else has been broken, probably by the user, right? But it is probably best to ignore this entire discussion because some piece of configuration has been done to BREAK the default behaviour, and then the user owns all the pieces. Hi Theo, I apologize if it sounded like a complaint?? It was not meant to be. honestly. Like I mentioned previously, it may have had something to do with me running: sh /etc/netstart pppoe0 a few times after the system had been booted. I was at the time trying to make use of 2 isp's and route accordingly per subnet or even ip address. It might have even been triggered by my altering of the pf.conf file... they are the only two things that I have been touching. What I meant by *override* is that the default behavior that I had set the machine up for was not being seen. The information which I have input into /etc/resolv.conf has not changed for years. I accept maybe i fiddled with things and caused unwanted behavior... it can happen. All I was trying to figure out is why the resolv.conf file was not being used and instead the information obtained through ipcp was being used for dns lookups. If I had caused it that's fine but I didn't understand what I did to have caused it and was just seeking help and advice that maybe someone might suggest things to try. But as it is, the system is back to how I want it to be so for sure please feel free to ignore the thread. There is no more problem ;-) Thanks for chiming in by the way, it is appreciated. Potentially, would it be a good idea to have setting to disable the dns or other information obtained by ipcp within the kernel ppp codeset? I just might be in the minority here so please feel free to ignore it's fine, I'm just thinking out loud Regards, Kaya
Re: dns priority from different network connections - or disabling?
Stuart Henderson wrote: > On 2023-04-11, Theo de Raadt wrote: > > Kaya Saman wrote: > > > >> This somehow is overriding my resolv.conf file; another words the > >> information is *not* being used from resolv.conf and is instead being > >> used from the ipcp negotiation as part of the pppoe kernel module. > > > > then the pppoe code should submit a RTM_PROPOSAL route message ... > > it does. > > i still don't see how this information can *override* resolv.conf But I do not understand what "override" means. resolvd intentionally has NO MECHANISM to allow choice, the list of addresses is chosen by a fixed internal heuristic, INTENTIONALLY without configuration knobs. There is one knob: If one doesn't want resolvd semantics, stop the daemon. So easy. But by default, the system runs with it, because that means 99% of users get the semantics which satisfy 99% of users without having to handle a configuration file. What I don't understand from the complaint is why that ppooe dynamic address doesn't rise to the top of the file, because dynamic requests of that kind always rise to the top. Therefore they get used. So if it isn't in the file, then something else has been broken, probably by the user, right? But it is probably best to ignore this entire discussion because some piece of configuration has been done to BREAK the default behaviour, and then the user owns all the pieces.
Re: dns priority from different network connections - or disabling?
On 2023-04-11, Theo de Raadt wrote: > Kaya Saman wrote: > >> This somehow is overriding my resolv.conf file; another words the >> information is *not* being used from resolv.conf and is instead being >> used from the ipcp negotiation as part of the pppoe kernel module. > > then the pppoe code should submit a RTM_PROPOSAL route message ... it does. i still don't see how this information can *override* resolv.conf
Re: dns priority from different network connections - or disabling?
Kaya Saman wrote: > This somehow is overriding my resolv.conf file; another words the > information is *not* being used from resolv.conf and is instead being > used from the ipcp negotiation as part of the pppoe kernel module. then the pppoe code should submit a RTM_PROPOSAL route message ...
Re: dns priority from different network connections - or disabling?
Thanks Stu, and everyone else who responded :-)
On 4/11/23 09:01, Stuart Henderson wrote:
On 2023-04-10, Kaya Saman wrote:
On 4/10/23 16:24, Daniele B. wrote:
Apr 10, 2023 12:52:22 Kaya Saman :
how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?
My solution both for security reasons (I'm using unbound)
for for practical reasons (as per your concerns) is to set immutable
resolv.conf by chflags.
Not the Solution but a very good workaround. Please investigate also
when you can take off the immutable flag too.
I take this time to wish you all an Happy Easter and obviously
lots of compliments for the 54th release of the ball fish system!
Do you mean setting resolv.conf as ReadOnly?
immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.
Oh ok... I'll check it out - I understood file permissions?
My resolv.conf file is fine and has the correct dns servers inside.
The issue is that pppoe negotiates the dns servers through ipcp. The dns
servers therefor do *not* get loaded into the resolv.conf file but
instead show up under: ifconfig pppoe0
This somehow is overriding my resolv.conf file; another words the
information is *not* being used from resolv.conf and is instead being
used from the ipcp negotiation as part of the pppoe kernel module.
The question is how to disable this behavior?
If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.
If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.
The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?
To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.
Check resolvd and unwind manpages for more info about what each does.
Perhaps I wasn't clear and confused everyone?
In the meantime I read both manpages of resolv.conf and unwind.
As far as I can understand unwind points to a remote resolver unless
something goes wrong where it then looks for one defined locally.
In my resolv.conf I have 3x local dns servers (same subnet I know I
know) defined:
x.x.x.1
x.x.x.2
x.x.x.3
*but* my system was using:
A.A.A.1
A.A.A.2
from my ISP which it acquired through ipcp from pppoe.
Possibly this behavior started while I messed with things and performed
a: sh /etc/netstart pppoe0
Nothing got written to resolv.conf but the system was using the isp
acquired servers.
I ran a quick test of unwind and popped: x.x.x.1 into it. Nothing seemed
to have changed as the resolution was still being carried out on the isp
dns machines.
Re-checking resolv.conf it seemed that the isp entries had actually been
written there in the end? Does unwind do this?
I just simply deleted them and now the system works as before using my
locally defined systems.
Strange issue and behavior but solved for now. Just reconfirmed using
nslookup right now on the obsd box and all is fine :-D
Many thanks.
Kaya
Re: dns priority from different network connections - or disabling?
On 2023-04-10, Kaya Saman wrote:
>
> On 4/10/23 16:24, Daniele B. wrote:
>> Apr 10, 2023 12:52:22 Kaya Saman :
>>
> how do I override OpenBSD's
> behavior to explicitly not use the dns servers obtained through ipcp but
> instead use the ones form the resolv.conf file?
>> My solution both for security reasons (I'm using unbound)
>> for for practical reasons (as per your concerns) is to set immutable
>> resolv.conf by chflags.
>>
>> Not the Solution but a very good workaround. Please investigate also
>> when you can take off the immutable flag too.
>>
>> I take this time to wish you all an Happy Easter and obviously
>> lots of compliments for the 54th release of the ball fish system!
>>
>
> Do you mean setting resolv.conf as ReadOnly?
immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.
> My resolv.conf file is fine and has the correct dns servers inside.
>
> The issue is that pppoe negotiates the dns servers through ipcp. The dns
> servers therefor do *not* get loaded into the resolv.conf file but
> instead show up under: ifconfig pppoe0
>
> This somehow is overriding my resolv.conf file; another words the
> information is *not* being used from resolv.conf and is instead being
> used from the ipcp negotiation as part of the pppoe kernel module.
>
> The question is how to disable this behavior?
If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.
If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.
The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?
To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.
Check resolvd and unwind manpages for more info about what each does.
Re: dns priority from different network connections - or disabling?
On 4/10/23 16:24, Daniele B. wrote: Apr 10, 2023 12:52:22 Kaya Saman : how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? My solution both for security reasons (I'm using unbound) for for practical reasons (as per your concerns) is to set immutable resolv.conf by chflags. Not the Solution but a very good workaround. Please investigate also when you can take off the immutable flag too. I take this time to wish you all an Happy Easter and obviously lots of compliments for the 54th release of the ball fish system! Do you mean setting resolv.conf as ReadOnly? My resolv.conf file is fine and has the correct dns servers inside. The issue is that pppoe negotiates the dns servers through ipcp. The dns servers therefor do *not* get loaded into the resolv.conf file but instead show up under: ifconfig pppoe0 This somehow is overriding my resolv.conf file; another words the information is *not* being used from resolv.conf and is instead being used from the ipcp negotiation as part of the pppoe kernel module. The question is how to disable this behavior?
Re: dns priority from different network connections - or disabling?
Apr 10, 2023 12:52:22 Kaya Saman : >>> how do I override OpenBSD's >>> behavior to explicitly not use the dns servers obtained through ipcp but >>> instead use the ones form the resolv.conf file? My solution both for security reasons (I'm using unbound) for for practical reasons (as per your concerns) is to set immutable resolv.conf by chflags. Not the Solution but a very good workaround. Please investigate also when you can take off the immutable flag too. I take this time to wish you all an Happy Easter and obviously lots of compliments for the 54th release of the ball fish system!
Re: dns priority from different network connections - or disabling?
On 4/10/23 11:40, Jonathan Gray wrote: On Mon, Apr 10, 2023 at 11:26:22AM +0100, Kaya Saman wrote: Hi, I'll ask the second question first as it might be easier to implement... Currently I have found that the dns servers specified in the resolv.conf file are not being used. Instead my machine is prioritizing the ISP obtained servers from the ipcp protocol through the kernel ppp service. Within the hostname.pppoe(x) file is there a way to disable the dns portion of the negotiation? If not, then this leads to my second question of how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? in /etc/rc.conf.local resolvd_flags=NO Ok strange! This is already set and before emailing I checked that the resolvd, unbound, unwind, and even nsd services were not running using 'ps'. Just attempted to stop resolvd using: /etc/rc.d/resolvd stop (incase it was running and I missed something) , it said "OK". nslookup still shows the dns servers from ipcp and not the locally defined ones in resolv.conf I'm not sure when the behavior changed but it is a recent thing either done by an update or by adding my secondary ISP. Right now my system can't send emails because it's using the wrong dns. changed in sys/net/if_spppsubr.c rev 1.188 first release with that was OpenBSD 7.1 No no this odd behavior started recently?? I'm on: 7.3 GENERIC.MP#1125 amd64 Maybe I ran: sh /etc/netstart pppoe0 which decided to override the resolv.conf file, I really am not sure but still...
Re: dns priority from different network connections - or disabling?
On Mon, Apr 10, 2023 at 11:26:22AM +0100, Kaya Saman wrote: > Hi, > > > I'll ask the second question first as it might be easier to implement... > > > Currently I have found that the dns servers specified in the resolv.conf > file are not being used. Instead my machine is prioritizing the ISP obtained > servers from the ipcp protocol through the kernel ppp service. Within the > hostname.pppoe(x) file is there a way to disable the dns portion of the > negotiation? > > > If not, then this leads to my second question of how do I override OpenBSD's > behavior to explicitly not use the dns servers obtained through ipcp but > instead use the ones form the resolv.conf file? > in /etc/rc.conf.local resolvd_flags=NO > > I'm not sure when the behavior changed but it is a recent thing either done > by an update or by adding my secondary ISP. Right now my system can't send > emails because it's using the wrong dns. changed in sys/net/if_spppsubr.c rev 1.188 first release with that was OpenBSD 7.1
dns priority from different network connections - or disabling?
Hi, I'll ask the second question first as it might be easier to implement... Currently I have found that the dns servers specified in the resolv.conf file are not being used. Instead my machine is prioritizing the ISP obtained servers from the ipcp protocol through the kernel ppp service. Within the hostname.pppoe(x) file is there a way to disable the dns portion of the negotiation? If not, then this leads to my second question of how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? I'm not sure when the behavior changed but it is a recent thing either done by an update or by adding my secondary ISP. Right now my system can't send emails because it's using the wrong dns. Thanks for any ideas. Kaya
