Operating System - Linux
1839290 Members
1765 Online
110138 Solutions
New Discussion

Help CISCO VPN Client changes my resolv.conf

 
SOLVED
Go to solution
'chris'
Super Advisor

Help CISCO VPN Client changes my resolv.conf

Hi

I have a serious problem.
I've installed CISCO vpnclient-linux-3.7.3.A-k9
at linux SuSE 8.1
It's working, but after computer restart
the VPN Client changes all the time resolv.conf
and put there its DNS Server.

how can I prevent that?

under:
/etc/sysconfig/network/config
I've changed to:
MODIFY_RESOLV_CONF_DYNAMICALLY="no"
MODIFY_NAMED_CONF_DYNAMICALLY="no"

but it doesn't help !

My resolv.conf looks:

nameserver 127.0.0.1
search localhost

and I don't want any changes.

Kindly Regards
Chris

8 REPLIES 8
Steven E. Protter
Exalted Contributor
Solution

Re: Help CISCO VPN Client changes my resolv.conf

The contents of your /etc/resolv.conf file can't work with the VPN based on that configuration.

Unless you local server resolves every single domain on the Internet.

One of the way VPN's work is they resolve the hostname or IP address of an incoming client with DNS. Some domains are let in, some aren't. Some IP's are trusted, some are not.

In order to let the VPN works the way it wants to you need a little more in /etc/resolv.conf

You need an IP adress in there that is a server that will resolve. That can be another internal server which is trusted and resolves the part of the Internet or Intranet that you care about.

If this server is the primary DNS for your organization you should be okay.

I don't think it degrades security to have a valid DNS server in /etc/resolv.conf

As far as my small understanding of VPN goes, it may be a requirement.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Dave K_3
New Member

Re: Help CISCO VPN Client changes my resolv.conf

You should always have at least two valid nameservers in /etc/resolv.conf If one goes down you will not be able to resolve DNS but, if 127.0.0.1 goes down, it probably won't matter anywise. Still you won't be able to resolve site even if your own DNS is down.

If you want to prevent /etc/resolv.conf from being changed, use the following:

chattr +i /etc/resolv.conf

This will lock the file an render it unchangeable until chattr -i is used.

Stuart Browne
Honored Contributor

Re: Help CISCO VPN Client changes my resolv.conf

Cisco's VPN client is, to put it mildy, a PAIN-IN-THE-*#&!@N-ASS.

All of those configuration directives can be over-ridden by the server you connect to.

In all seriousness, make a wrapper script. When the vpnclient finishes running, copy a 'good' resolv.conf back.
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: Help CISCO VPN Client changes my resolv.conf

-rw-r--r-- 2 root root 151 Jan 18 22:29 /etc/resolv.conf

These are the default permissions on resolv.conf

They should remain that way.

You may need to be root user to install it, but right after, you can restore the file.

To use it on the Linux machine, you certainly should NOT be root user. You should not do anything as that user except configure the machine.

When you actually use the product, you are a regular user. As a regular user you CANT modify resolv.conf if you have the permissions set right.

I still think you need a valid DNS server in resolv.conf This is an Internet product and you need to be able to negotiate the Internet via names to have things such as web hostnames resolve to IP addresses.

This should be a change you make.

Now perhaps this Cisco VPN product is being used for inbound connections. If its being used for inbound connections and requires root user its a piece of junk, its insecure, its risking your network and system and should simply not be used.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Help CISCO VPN Client changes my resolv.conf

The cisco VPN client has a client (and server, which overrides) side setting as to whether to allow you to use the LAN whilst connected to the VPN.

If that's the case, then any resolv.conf setting is uselses anyway.

*whee!* Welcome to the wonderful (or is that horrible) world of Cisco VPN! :)

The client side stuff also inserts a kernel module.

It is secure (to the point that I'm not aware of any exploits), but it's painful to use.

We only use it for one client as they don't have anything else we can use. Bummer.. Gimmie SSH any day!
One long-haired git at your service...
U.SivaKumar_2
Honored Contributor

Re: Help CISCO VPN Client changes my resolv.conf

Hi ,

your VPN client is running with DHCP enabled either within VPN vclient itself or by linux . Please try to disable DHCP use static IP address and get back with results.

regards,
U.SivaKumar
Innovations are made when conventions are broken
U.SivaKumar_2
Honored Contributor

Re: Help CISCO VPN Client changes my resolv.conf

Hi ,

your VPN client is running with DHCP enabled either within VPN vclient itself or by linux . Please try to disable DHCP use static IP address and get back with results.

regards,
U.SivaKumar
Innovations are made when conventions are broken
'chris'
Super Advisor

Re: Help CISCO VPN Client changes my resolv.conf

hi

I've setup the server again with ext3
and NOT reiserfs system.

# chattr +i /etc/resolv.conf

and my resolv.conf will be never changed !

regards
chris