Feature #10931
closed
system.php: Add option to omit DNS Servers from resolv.conf
100%
Description
Some users prefer that the system only use the DNS Resolver/Forwarder for DNS resolution, rather than the entries in resolv.conf. One example use case is when all DNS from the firewall should use DNS over TLS. If the DNS Resolver is temporarily unavailable, the system could skip the DNS Resolver and send queries directly in the clear.
Currently there is an option to not use the DNS Forwarder/Resolver, which should be changed to a drop-down menu with the following entries:
Firewall DNS Resolution Behavior
- Use DNS Resolver/Forwarder (127.0.0.1), fall back to DNS Servers (Default)
- This option is the same as the current default with the box unchecked (resolv.conf has 127.0.0.1 then other DNS servers)
- Use DNS Resolver/Forwarder (127.0.0.1), ignore DNS Servers
- This option would change resolv.conf to only contain 127.0.0.1 and no other servers
- Use DNS Servers, ignore DNS Resolver/Forwarder
- This option is the same as if the current box is checked (resolv.conf has the DNS servers listed, but not 127.0.0.1)
Also needs upgrade code to change the current option into the new format.
Updated by Jim Pingle about 4 years ago
Tugged on a dangling thread of this sweater and unraveled quite a lot.
There were three functions with confusing names which did similar but not identical things, used inconsistently through the code, and also some places had code which did similar things but didn't use the functions. I standardized it all to use one function and fixed the name of one so it was less ambiguous. I did not check packages for affected code.
Changes:
- Changed the option on system.php as described in the original description, plus upgrade code to transition, and changed places which tested the option to the new format.
system.inc / get_dns_nameservers()- Added extra parameter which can be used to return either the list to put in resolv.conf or the list of available name servers, depending on what the caller needs.system.inc / get_nameservers()- Renamed toget_dynamic_nameservers()and added interface filtering. Added sub function of the old name in case it was used by packages. If it's not used by packages, that can be removed.pfsense-utils.inc / get_dns_servers()- Unnecessarily read resolv.conf instead of using proper methods like get_dns_nameservers(). Deprecated. Now returns get_dns_nameservers(false, true). If it's not used in packages it can be completely removed.- Various places which used the old/incorrect functions, duplicated code, or other methods like directly reading resolv.conf were updated to properly use
get_dns_nameservers()instead. - Changed status_interfaces.php to display the dynamically assigned DNS servers for an interface with each interface, rather than displaying all DNS servers on WAN.
Commit coming shortly.
Updated by Jim Pingle about 4 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset f0c51530cd31a5003d5a18cfa32575d0a9ff2f5f.
Updated by Viktor Gurov almost 4 years ago
Dynamic IPv6 DNS servers fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/61
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov almost 4 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20210104.0250
all modes change resolv.conf accordingly