On Mon, Mar 06, 2017 at 01:23:05PM +1100, Anthony wrote:
What goes screwy is DNS resolution...
Sometimes, for no obvious reason, I can resolve internal hostnames
that resolve to destinations reached by the host using things like the
"host" command...
IMO the best solution is to run your own DNS resolver (e.g. with unbound
or maradns or whatever on your gateway box), manually set resolv.conf
to point to it, purge crapware like resolvconf, and disable resolv.conf
mangling by anything capable of doing it (e.g. dhclient, network
manager, openconnect, etc).
In short set, disable anything that auto-magically fucks up your DNS
resolver settings.
e.g. resolv.conf on my resolver host looks like this:
search taz.net.au
nameserver 127.0.0.1
on machines with a static IP, it looks like this:
search taz.net.au
nameserver 203.16.167.1
If you run a DHCP server, configure it to give out your domain name and
your resolver's IP address. My dhcp server (ISC DHCPD) has these rules:
option domain-name "taz.net.au";
option domain-name-servers 203.16.167.1;
If your machines rely on someone else's DHCP server (e.g. a laptop you
plug into many different networks) you can still run your own resolver.
Just edit your /etc/dhcp/dhclient.conf and remove "domain-name" and
"domain-name-servers" from the "request" line. or use
"supercede",
"prepend" etc rules in dhclient.conf to make sure your resolver on
127.0.0.1 is the first or only resolver. Basic examples are commented
out in the .conf file, or see dhclient.conf's manpage for full details.
Aside from fixing your DNS resolution weirdness, this will also have the
effect of speeding up DNS resolution as you now have a local caching
resolver on your LAN - eliminiating 10s or 100s of milliseconds RTT for
DNS lookups. It's worth doing it for this alone, even if your DNS isn't
being randomly screwed up by competing automagic crap.
Running your own resolver is easy, it's a one time operation, then you
can forget about it - little or no maintainence is required.
Some resolvers allow you to set upstream forwarders (e.g. your ISP's
ns, or google's 8.8.8.8 or whatever). Some allow you to set specific
upstream forwarders for specific domains - this is especially useful
if you have a VPN to work or somewhere, and need to be able to resolve
hostnames in private domains or sub-domains that are only visible behind
the company firewall. This kind of configuration flexibility is not
posssible unless you run your own resolver.
craig
ps: also recommended, a local squid cache. with ad & script blocking
rules to provide a minimal set of filtering even without browser plugins
like umatrix or ublock origin. Unfortunately, this is less useful than
it used to be - using https everywhere is a great thing, but it busts
caching.
--
craig sanders <cas(a)taz.net.au>