subject:"systemd and search domains."

systemd and search domains.

2020-01-08 Thread Ken D'Ambrosio

Hey, all.  When I fire up my VPN, it re-writes my /etc/resolv.conf.  
Shocker.  But I *want* it to, because then all my DNS stuff is good for 
my company.  But it's NOT good for my personal domain.  I'd like to have 
that added to the search domains.  I'm in Ubuntu; not sure if that 
matters.  From my reading:
* I can the search domains on a per-interface manner, but that seems 
hokey, and subject to issues if I use something (e.g., Bluetooth) to be 
my conduit to the 'Net.
* /etc/resolv.conf shouldn't be manually modified as it'll just get 
overwritten (and I don't want to make it immutable because I want it to 
change depending on whether I'm using VPN or no)
* /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if 
you're running NetworkManager

So, my question: is there an elegant, global way to set/append to my DNS 
domain search list?  Or am I just gonna wind up writing a daemon to wham 
an resolv.conf in-place depending on the current network config?

Thanks,

-Ken
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-08 Thread Joshua Judson Rosen

What sort of VPN is it? e.g.: OpenVPN, Wireguard, IPSec...?

And have you installed either resolvconf (which is Suggested by the openvpn 
package, but not required)
or openresolv (which is supposed to be a better, generally compatible, 
replacement for resolvconf)?

On 1/8/20 2:37 PM, Ken D'Ambrosio wrote:
> Hey, all.  When I fire up my VPN, it re-writes my /etc/resolv.conf.
> Shocker.  But I *want* it to, because then all my DNS stuff is good for
> my company.  But it's NOT good for my personal domain.  I'd like to have
> that added to the search domains.  I'm in Ubuntu; not sure if that
> matters.  From my reading:
> * I can the search domains on a per-interface manner, but that seems
> hokey, and subject to issues if I use something (e.g., Bluetooth) to be
> my conduit to the 'Net.
> * /etc/resolv.conf shouldn't be manually modified as it'll just get
> overwritten (and I don't want to make it immutable because I want it to
> change depending on whether I'm using VPN or no)
> * /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if
> you're running NetworkManager
> 
> So, my question: is there an elegant, global way to set/append to my DNS
> domain search list?  Or am I just gonna wind up writing a daemon to wham
> an resolv.conf in-place depending on the current network config?
> 
> Thanks,
> 
> -Ken
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> 

-- 
Connect with me on the GNU social network! 

Not on the network? Ask me for more info!
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-08 Thread Dennis Straffin

Newer Ubuntu systems use systemd-resolved which doesn't seem to support
split-horizon dns (at least last time I looked).

One solution is to go back to using dnsmasq.

* Install dnsmasq:

apt get install dnsmasq


* Update /etc/NetworkManager/NetworkManager.conf:

[main]

...

dns=dnsmasq


* Add a dnsmasq config file to /etc/NetworkManager/|dnsmasq.d/foo.conf
with your servers:|
|||server=/foo.bar/bar.baz/1.2.3.4

* Restart network manager:
|||

|||sudo service network-manager restart|||

||

||
* You might have to stop and disable the dnsmasq and resolved units:||

sudo systemctl stop systemd-resolved dnsmasq
sudo systemctl disable systemd-resolved dnsmasq

||
* You might also have to link /etc/resolv.conf to the network manager
generated one||:

sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/NetworkManager/resolv.conf /etc/resolv.conf

||
-Dennis
|

|
On 1/8/20 2:37 PM, Ken D'Ambrosio wrote:
> Hey, all.  When I fire up my VPN, it re-writes my /etc/resolv.conf.  
> Shocker.  But I *want* it to, because then all my DNS stuff is good for 
> my company.  But it's NOT good for my personal domain.  I'd like to have 
> that added to the search domains.  I'm in Ubuntu; not sure if that 
> matters.  From my reading:
> * I can the search domains on a per-interface manner, but that seems 
> hokey, and subject to issues if I use something (e.g., Bluetooth) to be 
> my conduit to the 'Net.
> * /etc/resolv.conf shouldn't be manually modified as it'll just get 
> overwritten (and I don't want to make it immutable because I want it to 
> change depending on whether I'm using VPN or no)
> * /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if 
> you're running NetworkManager
>
> So, my question: is there an elegant, global way to set/append to my DNS 
> domain search list?  Or am I just gonna wind up writing a daemon to wham 
> an resolv.conf in-place depending on the current network config?
>
> Thanks,
>
> -Ken
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-08 Thread Ken D'Ambrosio


On 2020-01-08 16:22, Dennis Straffin wrote:


Newer Ubuntu systems use systemd-resolved which doesn't seem to support 
split-horizon dns (at least last time I looked).

One solution is to go back to using dnsmasq.


Wups.  Meant to reply with this to all, earlier.  Going to add verbiage
for dnsmasq, too. 

== 

Welp. 


* I used to do the dnsmasq thing, and it works really well, but it's
kind of a pain to set up all the DNS servers and stuff for internal use,
and you occasionally get stuff wrong.  It's a big enough win for VPN to
be handling that that I think I'll let it continue doing it. 


* I tried Joshua's suggestion of openresolv, and it's got exactly what I
want, and happily prepends the domain to resolv.conf... until the VPN
(GlobalProtect) steps on it. 


* I did some systemd reading, and realized that there's a way to do this
through systemd: edit /etc/systemd/resolved.conf.  Which likewise gets
stepped on by GlobalProtect 


* I tried Ted's idea, thinking maybe I hadn't looked closely enough at
the network UI, and I was right: I hadn't!  Except when I went to edit
the entries, they echoed exactly what I'd done with
/etc/systemd/resolved.conf.  So it's probably fronting exactly that. 


I *think* I'd be able to make it work through OpenConnect, except that
it seems OpenConnect isn't doing MFA (at least, with the GlobalProtect?)
Nutshell: clearly, it's time for a self-written inotify daemon and call
it a day.  Because it's stupid easy to prepend a line with my domain
name every time the file changes, whereas I'm gettin' old trying to
figure this out through a more elegant mechanism. 

Thanks for suggestions, all! 


-Ken


* Install dnsmasq:

apt get install dnsmasq

* Update /etc/NetworkManager/NetworkManager.conf:

[main]

...

dns=dnsmasq

* Add a dnsmasq config file to /etc/NetworkManager/dnsmasq.d/foo.conf with your 
servers:
server=/foo.bar/bar.baz/1.2.3.4

* Restart network manager:

sudo service network-manager restart

* You might have to stop and disable the dnsmasq and resolved units:

sudo systemctl stop systemd-resolved dnsmasq
sudo systemctl disable systemd-resolved dnsmasq

* You might also have to link /etc/resolv.conf to the network manager generated 
one:

sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/NetworkManager/resolv.conf /etc/resolv.conf

-Dennis

On 1/8/20 2:37 PM, Ken D'Ambrosio wrote: 

Hey, all.  When I fire up my VPN, it re-writes my /etc/resolv.conf.  
Shocker.  But I *want* it to, because then all my DNS stuff is good for 
my company.  But it's NOT good for my personal domain.  I'd like to have 
that added to the search domains.  I'm in Ubuntu; not sure if that 
matters.  From my reading:
* I can the search domains on a per-interface manner, but that seems 
hokey, and subject to issues if I use something (e.g., Bluetooth) to be 
my conduit to the 'Net.
* /etc/resolv.conf shouldn't be manually modified as it'll just get 
overwritten (and I don't want to make it immutable because I want it to 
change depending on whether I'm using VPN or no)
* /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if 
you're running NetworkManager


So, my question: is there an elegant, global way to set/append to my DNS 
domain search list?  Or am I just gonna wind up writing a daemon to wham 
an resolv.conf in-place depending on the current network config?


Thanks,

-Ken
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-08 Thread Joshua Judson Rosen

So, I don't know anything about GlobalProtect per se (this is the first I've 
even heard of it...);
but...:

On 1/8/20 5:24 PM, Ken D'Ambrosio wrote:
> 
> * I used to do the dnsmasq thing, and it works really well, but it's kind of 
> a pain to set up all the DNS servers and stuff for internal use, and you 
> occasionally get stuff wrong.

FYI managing dnsmasq's back-end DNS server config is actually something that 
openresolv/resolvconf handle :)

Though I'm not sure adding dnsmasq really addresses the "search domain" issue.

> * I tried Joshua's suggestion of openresolv, and it's got exactly what I 
> want, and happily prepends the domain to resolv.conf... until the VPN 
> (GlobalProtect) steps on it.

Well, crap. So my next question was going to be, "are you actually using 
GlobalProtect per se
or are you (can you?) use OpenConnect? Because I bet we could just hook 
OpenConnect into resolvconf
if it doesn't already have a hook..."; but then you went ahead and answered 
that...:

> I *think* I'd be able to make it work through OpenConnect, except that it 
> seems OpenConnect
> isn't doing MFA (at least, with the GlobalProtect?)  Nutshell: clearly, it's 
> time for
> a self-written inotify daemon and call it a day.
> Because it's stupid easy to prepend a line with my domain name every time the 
> file changes,
> whereas I'm gettin' old trying to figure this out through a more elegant 
> mechanism.

Ha! An inotify monitor actually seems like a pretty elegant solution to me!
(though maybe I should point out that I got some of my aesthetic sense
  from growing up watching The Red Green Show...).

The only other option that comes to mind for me is "figure out how to just 
block writes from the GlobalProtect process"
(I'm guessing GlobalProtect is running as root, but you could use an SELinux or 
AppArmor policy
  or something to deal with that?).

Watch out for the `inotify-handler writes and re-triggers itself resulting in 
an infinitely-long "search" line' problem,
obviously? :)

-- 
Connect with me on the GNU social network! 

Not on the network? Ask me for more info!
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-08 Thread Ken D'Ambrosio

On 2020-01-08 17:58, Joshua Judson Rosen wrote:
>> Nutshell: clearly, it's time for
>> a self-written inotify daemon and call it a day.
>> Because it's stupid easy to prepend a line with my domain name every 
>> time the file changes,
>> whereas I'm gettin' old trying to figure this out through a more 
>> elegant mechanism.
> 
> Ha! An inotify monitor actually seems like a pretty elegant solution to 
> me!
> (though maybe I should point out that I got some of my aesthetic sense
>  from growing up watching The Red Green Show...).

I done did it.  (Yeah, I use Ruby for my CLI stuffs; it's pretty much 
replaced Perl as my go-to for any systemy stuff.  But this time, I 
decided not to make it a Ruby script and just threw in a -pie one-liner 
like the olden Perl days.  It's not particularly pretty, but hey...)
--
gozer # cat /usr/local/bin/dnssearch.sh
#!/bin/bash

# Prepends my domain to DNS search line in resolv.conf

resolv="/run/systemd/resolve/stub-resolv.conf"

while true
do
 grep jots.org /run/systemd/resolve/stub-resolv.conf || \
echo "Prepending jots.org to domain search list"
 ruby -pi -e 'gsub(/search /, "search jots.org ")' "$resolv"
 inotifywait -e modify "$resolv" # Here and not at top to be sure 
fires once
 sleep 3
done
--
gozer # cat /etc/systemd/system/dnssearch.service
[Unit]
Description=Date to file on-disk
After=getty.target

[Service]
Type=simple
User=root
WorkingDirectory=/tmp
ExecStart=/usr/local/bin/dnssearch.sh
Restart=always

[Install]
WantedBy=multi-user.target
--
gozer systems # systemctl status dnssearch
● dnssearch.service - Date to file on-disk
Loaded: loaded (/etc/systemd/system/dnssearch.service; enabled; 
vendor preset: enabled)
Active: active (running) since Wed 2020-01-08 18:14:13 EST; 6min ago
  Main PID: 13429 (dnssearch.sh)
 Tasks: 2 (limit: 4915)
CGroup: /system.slice/dnssearch.service
├─13429 /bin/bash /usr/local/bin/dnssearch.sh
└─13700 inotifywait -e modify 
/run/systemd/resolve/stub-resolv.conf

Jan 08 18:14:16 gozer dnssearch.sh[13429]: Watches established.
Jan 08 18:14:28 gozer dnssearch.sh[13429]: 
/run/systemd/resolve/stub-resolv.conf MODIFY
Jan 08 18:14:28 gozer dnssearch.sh[13429]: # configured search jots.org 
domains.
Jan 08 18:14:28 gozer dnssearch.sh[13429]: search jots.org jots.org
Jan 08 18:14:31 gozer dnssearch.sh[13429]: Setting up watches.
Jan 08 18:14:31 gozer dnssearch.sh[13429]: Watches established.
Jan 08 18:14:53 gozer dnssearch.sh[13429]: 
/run/systemd/resolve/stub-resolv.conf MODIFY
Jan 08 18:14:53 gozer dnssearch.sh[13429]: Prepending jots.org to domain 
search list
Jan 08 18:14:56 gozer dnssearch.sh[13429]: Setting up watches.
Jan 08 18:14:56 gozer dnssearch.sh[13429]: Watches established.
--
First prepend was when I fired up the service and my domain wasn't 
already in there; second was when I launched the VPN.

> Watch out for the `inotify-handler writes and re-triggers itself
> resulting in an infinitely-long "search" line' problem,
> obviously? :)

Yeah, I've stubbed my toe on that w-a-y back when inotify first came 
out.  That, and just not firing too frequently should $stuff be 
happening, are the reasons for the three-second sleep.

-Ken
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-09 Thread Ed Robbins



On 1/8/20 6:26 PM, Ken D'Ambrosio wrote:

On 2020-01-08 17:58, Joshua Judson Rosen wrote:

Nutshell: clearly, it's time for
a self-written inotify daemon and call it a day.
Because it's stupid easy to prepend a line with my domain name every
time the file changes,
whereas I'm gettin' old trying to figure this out through a more
elegant mechanism.

Ha! An inotify monitor actually seems like a pretty elegant solution to
me!
(though maybe I should point out that I got some of my aesthetic sense
  from growing up watching The Red Green Show...).

I done did it.  (Yeah, I use Ruby for my CLI stuffs; it's pretty much
replaced Perl as my go-to for any systemy stuff.  But this time, I
decided not to make it a Ruby script and just threw in a -pie one-liner
like the olden Perl days.  It's not particularly pretty, but hey...)


There are some things in Linux that I absolutely gush over because of 
how handy they are, inotify is just such a creature.  I use it in some 
of the most unlikely places to solve some of my most baffling problems.



Ed

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: systemd and search domains.

2020-01-09 Thread Mark E. Mallett

On Wed, Jan 08, 2020 at 05:58:24PM -0500, Joshua Judson Rosen wrote:
> Ha! An inotify monitor actually seems like a pretty elegant solution to me!
> (though maybe I should point out that I got some of my aesthetic sense
>   from growing up watching The Red Green Show...).

But you can change. If you have to. Don't you guess?
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: inotify (was: systemd and search domains.)

2020-01-09 Thread Joshua Judson Rosen

On 1/9/20 12:56 PM, Ed Robbins wrote:
> 
> There are some things in Linux that I absolutely gush over because of how 
> handy they are,
> inotify is just such a creature.  I use it in some of the most unlikely places
> to solve some of my most baffling problems.

Any thoughts on using inotify directly vs. using FAM/gamin/fswatch/libev/...?

PS: I think I'm going to take that "in some of the most unlikely places,
solving the most baffling problems" for my bio ;p

-- 
Connect with me on the GNU social network! 

Not on the network? Ask me for more info!
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: systemd and search domains.

Re: inotify (was: systemd and search domains.)

9 matches

Site Navigation

Mail list logo

Footer information