Sonic <sonicsm...@gmail.com> wrote: > On Fri, Jul 16, 2021 at 10:35 PM Theo de Raadt <dera...@openbsd.org> wrote: > > We are moving from a model where dhclient on 1 interface believes it is > > MASTER of /etc/resolv.conf and a bunch of system aspects, and the > > userbase is familiar with a pile of hacky control knobs in > > dhclient.conf. > > > > Towards a model where multiple interfaces + unwind can advertise their > > DNS resolution abilities to resolvd, which then sorts the offers and > > maintains a configuration. > > On the surface this sounds good. > > > Anyways I'll let other people you didn't show your config to explain how > > you are probably using pf incorrectly on interfaces configured with > > dynamic addressing. > > Ah yes, my bad, had a line without the parens around the dhcp > interface reference. > This issue is resolved. > Oddly enough it never affected many previous snapshots which used > dhcpcd in place of dhcpleased. > > The issue with resolved is still a bit perplexing as if I allow it to > run it insists on prepending my ISP nameservers to the resolv.conf > file which breaks the system.
It is not perplexing if you read the manual page. resolvd(8) explains what it is happening. > After the change with dhcpleased and resolvd: > ======================== > nameserver 75.75.75.75 # resolvd: em0 > nameserver 75.75.76.76 # resolvd: em0 > # Generated by em0 dhclient > search example.com > nameserver 127.0.0.1 > lookup file bind > family inet4 > ======================== > > I run nsd and unbound on this system, unbound listens on the loopback > and on the internal interface to serve the network, it uses stub zones > to the local nsd and to a bunch of other internal network dns servers > connected via site-to-site vpn tunnels. > My ISP's nameservers have no clue about my internal systems or the > other vpn connected internal systems that I need to resolve and there > should be someway to prevent the ISP's nameservers from being force > prepended to resolv.conf as the supersedes in dhclient.conf are > apparently ignored. > The workaround I found is resolvd_flags=NO in rc.conf.local > eliminating the prepending of the ISP nameservers. > If there's a more acceptable proper OpenBSD solution it would be > preferred but at this point I don't see what it is. We cannot build a mechanism which satisfies everyone's complicated setup. You've already made a pile of changes, and are not stopping you from making futher changes. Instead, we are focusing on 99% of the use cases. You might want to look into using unwind(8) instead of unbound(8), because resolv(8) treats it as highest priority.
