How to set a per-user resolv.conf

domain-name-systemresolv.conf

Is there a way to specify a per-user resolv.conf?

What I found are vague references to the possibility of having a per-user host file, but I'm not interested in that, I'm actually interested in a full resolv.conf, because I want to set different nameservers.

If you're asking why the point is testing cjdns nameserver(s) on a multi-user environment in which I don't want to affect other users of the system.

Would it be possible to perhaps abuse the nsswitch system?

Best Answer

Local filesystem namespaces are your friend, though they do require root permissions to set up.

sudo unshare --mount bash -s <<'EOF'
  mount --bind /path/to/your/resolv.conf /etc/resolv.conf
  sudo -u username-to-run-as command-to-run-with-alternate-resolv-conf 
EOF

If you want a script which will run an arbitrary command with your updated resolv.conf, consider:

#!/bin/bash
## usage: with-custom-resolver /path/to/resolv.conf cmd arg1 arg2 ...
## ...note that this requires root.

script=""
add_cmd() {
  local cmd_str
  printf -v cmd_str '%q ' "$@"
  script+="$cmd_str"$'\n'
}

resolv_conf=$1; shift

[[ $EUID = 0 ]] || { echo "Must be run as root" >&2; exit 1; }
[[ -e $resolv_conf ]] || { echo "No file found at: $resolv_conf" >&2; exit 1; }

add_cmd mount --bind "$resolv_conf" /etc/resolv.conf
add_cmd exec "$@"
unshare --mount sh -e -c "$script"

Thus, this could be used as:

with-custom-resolver your-resolv.conf sudo -u someuser some-command arg1

Related Solutions

Linux – configure BIND DNS on debian

Your original config:

$TTL    3600
@   IN  SOA example.com. admin.example.com. (
            2011101601  ; Serial
            3600        ; Refresh 1h
            60      ; Retry 1m
            86400       ; Expire 1d
            600 )       ; Negative Cache TTL 1h
;
@   IN  NS  localhost.

;
example.com.    IN CNAME localhost.
example.com.    IN A 127.0.0.1

should be changed to this:

$TTL    3600
@   IN  SOA example.com. admin.example.com. (
            2011101801  ; Serial
            3600        ; Refresh 1h
            60      ; Retry 1m
            86400       ; Expire 1d
            600 )       ; Negative Cache TTL 1h
;
@   IN  NS  ns1.example.com.

;
example.com.        IN A 127.0.0.1
ns1.example.com.    IN A 127.0.0.1
www.example.com.    IN CNAME example.com.

(did you notice that I also changed the serial? for every change you make on the config you need to alter the Serial. It's format is YEARMMDD and a two digit ID starting at 01 which you need to +1 every time you make a change. So for example if you made a second change on the config today, you should change it to 2011101802, on a third change it should be 2011101803, or if you would make a change tomorrow it should be 2011101901 etc. this is very important!)

Also make sure that on your webserver you have a virtual host configured as example.com

Check that your /etc/resolv.conf points to your local BIND and has nameserver 127.0.0.1 entry first. If you are using debian with Gnome then Network Manager might overwrite resolv.conf. One solution for this is just to add the nameserver to Network Manager through the GUI, but make sure that it is first in the list.

DNS – Second Nameserver in /etc/resolv.conf Not Picked Up by wget

The default behavior for resolv.conf and the resolver is to try the servers in the order listed. The resolver will only try the next nameserver if the first nameserver times out. The resolv.conf manpage says:

nameserver Name server IP address

Internet address (in dot notation) of a name server that the resolver should query. Up to MAXNS (currently 3, see ) name servers may be listed, one per keyword. If there are multiple servers, the resolver library queries them in the order listed.

And:

(The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)

Also see the resolver(5) manual page for more information.

You can alter the resolver's behavior using rotate, which will query the Nameservers in a round-robin order:

rotate sets RES_ROTATE in _res.options, which causes round robin selection of nameservers from among those listed. This has the effect of spreading the query load among all listed servers, rather than having all clients try the first listed server first every time.

However, nslookup will use the second nameserver if it receives a SERVFAIL from the first nameserver. From the nslookup manpage:

[no]fail Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.

(Default = nofail)

Best Answer

Related Solutions

Linux – configure BIND DNS on debian

DNS – Second Nameserver in /etc/resolv.conf Not Picked Up by wget

Related Topic