On Mon, Mar 06, 2017 at 01:23:05PM +1100, Anthony wrote:
What goes screwy is DNS resolution...
Sometimes, for no obvious reason, I can resolve internal hostnames that resolve to destinations reached by the host using things like the "host" command...
IMO the best solution is to run your own DNS resolver (e.g. with unbound or maradns or whatever on your gateway box), manually set resolv.conf to point to it, purge crapware like resolvconf, and disable resolv.conf mangling by anything capable of doing it (e.g. dhclient, network manager, openconnect, etc). In short set, disable anything that auto-magically fucks up your DNS resolver settings. e.g. resolv.conf on my resolver host looks like this: search taz.net.au nameserver 127.0.0.1 on machines with a static IP, it looks like this: search taz.net.au nameserver 203.16.167.1 If you run a DHCP server, configure it to give out your domain name and your resolver's IP address. My dhcp server (ISC DHCPD) has these rules: option domain-name "taz.net.au"; option domain-name-servers 203.16.167.1; If your machines rely on someone else's DHCP server (e.g. a laptop you plug into many different networks) you can still run your own resolver. Just edit your /etc/dhcp/dhclient.conf and remove "domain-name" and "domain-name-servers" from the "request" line. or use "supercede", "prepend" etc rules in dhclient.conf to make sure your resolver on 127.0.0.1 is the first or only resolver. Basic examples are commented out in the .conf file, or see dhclient.conf's manpage for full details. Aside from fixing your DNS resolution weirdness, this will also have the effect of speeding up DNS resolution as you now have a local caching resolver on your LAN - eliminiating 10s or 100s of milliseconds RTT for DNS lookups. It's worth doing it for this alone, even if your DNS isn't being randomly screwed up by competing automagic crap. Running your own resolver is easy, it's a one time operation, then you can forget about it - little or no maintainence is required. Some resolvers allow you to set upstream forwarders (e.g. your ISP's ns, or google's 8.8.8.8 or whatever). Some allow you to set specific upstream forwarders for specific domains - this is especially useful if you have a VPN to work or somewhere, and need to be able to resolve hostnames in private domains or sub-domains that are only visible behind the company firewall. This kind of configuration flexibility is not posssible unless you run your own resolver. craig ps: also recommended, a local squid cache. with ad & script blocking rules to provide a minimal set of filtering even without browser plugins like umatrix or ublock origin. Unfortunately, this is less useful than it used to be - using https everywhere is a great thing, but it busts caching. -- craig sanders <cas@taz.net.au>