Previously, on Ubuntu 16.04, I felt betrayed when an Ubuntu update installed dnsmasq package, configured it, and gave it precedence over my own super-stable, ultra-fast, and own-configured BIND DNS server. It exactly felt as if Ubuntu hacked my workstation.
Since I happened to be working as a system admin, this was extremely unacceptable. This was a freak-out call. This is when you go to troubleshoot a problem and in one of your steps you use dig or nslookup and you get stunned to see the lo interface replying to you. PANIC
Is there a way to not only fix this issue, but also guarantee that /etc/resolv.conf will be tamper proof?
A simple edit to
/etc/NetworkManager/NetworkManager.confand disablingsystemd-resolved.service(as in this answer https://askubuntu.com/a/907249/719422). But that alone, while essential, does not guarantee tamper-proofresolv.conf.To really enforce a static
/etc/resolv.confthat you know will survive restarts of any kind, you need to set the immutable attribute to it. Adding to the answer of Bastian Voigt mentioned above, you do this as SuperUser:...changing the
nameserverto your chosen value. That way, you can have a really static/etc/resolv.conf.According to the docs, you can write your
resolv.confto/usr/lib/systemd/resolv.conf, which is a static file that can be linked from/etc/resolv.conf. That should not be rewritten.http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#contenttoc3
Best solution I've found is to prevent NetworkManager from updating /etc/resolv.conf and then creating a new /etc/resolv.conf file with a static DNS server. See https://www.ctrl.blog/entry/resolvconf-tutorial for how to do this.
The file present is a symlink to another file. Delete the file
The file is no longer a symlink but a persistent file.