topic Re: Help CISCO VPN Client changes my resolv.conf in Operating System - Linux

Help CISCO VPN Client changes my resolv.conf

'chris' — Wed, 02 Jul 2003 18:31:57 GMT

Hi

I have a serious problem.
I've installed CISCO vpnclient-linux-3.7.3.A-k9
at linux SuSE 8.1
It's working, but after computer restart
the VPN Client changes all the time resolv.conf
and put there its DNS Server.

how can I prevent that?

under:
/etc/sysconfig/network/config
I've changed to:
MODIFY_RESOLV_CONF_DYNAMICALLY="no"
MODIFY_NAMED_CONF_DYNAMICALLY="no"

but it doesn't help !

My resolv.conf looks:

nameserver 127.0.0.1
search localhost

and I don't want any changes.

Kindly Regards
Chris

Re: Help CISCO VPN Client changes my resolv.conf

Steven E. Protter — Thu, 03 Jul 2003 02:21:10 GMT

The contents of your /etc/resolv.conf file can't work with the VPN based on that configuration.

Unless you local server resolves every single domain on the Internet.

One of the way VPN's work is they resolve the hostname or IP address of an incoming client with DNS. Some domains are let in, some aren't. Some IP's are trusted, some are not.

In order to let the VPN works the way it wants to you need a little more in /etc/resolv.conf

You need an IP adress in there that is a server that will resolve. That can be another internal server which is trusted and resolves the part of the Internet or Intranet that you care about.

If this server is the primary DNS for your organization you should be okay.

I don't think it degrades security to have a valid DNS server in /etc/resolv.conf

As far as my small understanding of VPN goes, it may be a requirement.

SEP

Re: Help CISCO VPN Client changes my resolv.conf

Dave K_3 — Tue, 15 Jul 2003 17:33:02 GMT

You should always have at least two valid nameservers in /etc/resolv.conf If one goes down you will not be able to resolve DNS but, if 127.0.0.1 goes down, it probably won't matter anywise. Still you won't be able to resolve site even if your own DNS is down.

If you want to prevent /etc/resolv.conf from being changed, use the following:

chattr +i /etc/resolv.conf

This will lock the file an render it unchangeable until chattr -i is used.

Re: Help CISCO VPN Client changes my resolv.conf

Stuart Browne — Tue, 15 Jul 2003 23:07:25 GMT

Cisco's VPN client is, to put it mildy, a PAIN-IN-THE-*#&!@N-ASS.

All of those configuration directives can be over-ridden by the server you connect to.

In all seriousness, make a wrapper script. When the vpnclient finishes running, copy a 'good' resolv.conf back.

Re: Help CISCO VPN Client changes my resolv.conf

Steven E. Protter — Wed, 16 Jul 2003 02:25:23 GMT

-rw-r--r-- 2 root root 151 Jan 18 22:29 /etc/resolv.conf

These are the default permissions on resolv.conf

They should remain that way.

You may need to be root user to install it, but right after, you can restore the file.

To use it on the Linux machine, you certainly should NOT be root user. You should not do anything as that user except configure the machine.

When you actually use the product, you are a regular user. As a regular user you CANT modify resolv.conf if you have the permissions set right.

I still think you need a valid DNS server in resolv.conf This is an Internet product and you need to be able to negotiate the Internet via names to have things such as web hostnames resolve to IP addresses.

This should be a change you make.

Now perhaps this Cisco VPN product is being used for inbound connections. If its being used for inbound connections and requires root user its a piece of junk, its insecure, its risking your network and system and should simply not be used.

SEP

Re: Help CISCO VPN Client changes my resolv.conf

Stuart Browne — Wed, 16 Jul 2003 02:40:26 GMT

The cisco VPN client has a client (and server, which overrides) side setting as to whether to allow you to use the LAN whilst connected to the VPN.

If that's the case, then any resolv.conf setting is uselses anyway.

*whee!* Welcome to the wonderful (or is that horrible) world of Cisco VPN! :)

The client side stuff also inserts a kernel module.

It is secure (to the point that I'm not aware of any exploits), but it's painful to use.

We only use it for one client as they don't have anything else we can use. Bummer.. Gimmie SSH any day!

Re: Help CISCO VPN Client changes my resolv.conf

U.SivaKumar_2 — Wed, 16 Jul 2003 02:59:24 GMT

Hi ,

your VPN client is running with DHCP enabled either within VPN vclient itself or by linux . Please try to disable DHCP use static IP address and get back with results.

regards,
U.SivaKumar

Re: Help CISCO VPN Client changes my resolv.conf

U.SivaKumar_2 — Wed, 16 Jul 2003 03:00:03 GMT

Hi ,

your VPN client is running with DHCP enabled either within VPN vclient itself or by linux . Please try to disable DHCP use static IP address and get back with results.

regards,
U.SivaKumar

Re: Help CISCO VPN Client changes my resolv.conf

'chris' — Tue, 13 Jan 2004 19:25:13 GMT

hi

I've setup the server again with ext3
and NOT reiserfs system.

# chattr +i /etc/resolv.conf

and my resolv.conf will be never changed !

regards
chris