Feature #10931
closed
system.php: Add option to omit DNS Servers from resolv.conf
Added by Jim Pingle about 4 years ago.
Updated almost 4 years ago.
Description
Some users prefer that the system only use the DNS Resolver/Forwarder for DNS resolution, rather than the entries in resolv.conf. One example use case is when all DNS from the firewall should use DNS over TLS. If the DNS Resolver is temporarily unavailable, the system could skip the DNS Resolver and send queries directly in the clear.
Currently there is an option to not use the DNS Forwarder/Resolver, which should be changed to a drop-down menu with the following entries:
Firewall DNS Resolution Behavior
- Use DNS Resolver/Forwarder (127.0.0.1), fall back to DNS Servers (Default)
- This option is the same as the current default with the box unchecked (resolv.conf has 127.0.0.1 then other DNS servers)
- Use DNS Resolver/Forwarder (127.0.0.1), ignore DNS Servers
- This option would change resolv.conf to only contain 127.0.0.1 and no other servers
- Use DNS Servers, ignore DNS Resolver/Forwarder
- This option is the same as if the current box is checked (resolv.conf has the DNS servers listed, but not 127.0.0.1)
Also needs upgrade code to change the current option into the new format.
- Status changed from New to In Progress
Tugged on a dangling thread of this sweater and unraveled quite a lot.
There were three functions with confusing names which did similar but not identical things, used inconsistently through the code, and also some places had code which did similar things but didn't use the functions. I standardized it all to use one function and fixed the name of one so it was less ambiguous. I did not check packages for affected code.
Changes:
- Changed the option on system.php as described in the original description, plus upgrade code to transition, and changed places which tested the option to the new format.
system.inc / get_dns_nameservers() - Added extra parameter which can be used to return either the list to put in resolv.conf or the list of available name servers, depending on what the caller needs.system.inc / get_nameservers() - Renamed to get_dynamic_nameservers() and added interface filtering. Added sub function of the old name in case it was used by packages. If it's not used by packages, that can be removed.pfsense-utils.inc / get_dns_servers() - Unnecessarily read resolv.conf instead of using proper methods like get_dns_nameservers(). Deprecated. Now returns get_dns_nameservers(false, true). If it's not used in packages it can be completely removed.- Various places which used the old/incorrect functions, duplicated code, or other methods like directly reading resolv.conf were updated to properly use
get_dns_nameservers() instead.
- Changed status_interfaces.php to display the dynamically assigned DNS servers for an interface with each interface, rather than displaying all DNS servers on WAN.
Commit coming shortly.
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Pull Request Review
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20210104.0250
all modes change resolv.conf accordingly
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by