systemd and search domains.
Joshua Judson Rosen
rozzin at hackerposse.com
Wed Jan 8 17:58:24 EST 2020
So, I don't know anything about GlobalProtect per se (this is the first I've even heard of it...);
but...:
On 1/8/20 5:24 PM, Ken D'Ambrosio wrote:
>
> * I used to do the dnsmasq thing, and it works really well, but it's kind of a pain to set up all the DNS servers and stuff for internal use, and you occasionally get stuff wrong.
FYI managing dnsmasq's back-end DNS server config is actually something that openresolv/resolvconf handle :)
Though I'm not sure adding dnsmasq really addresses the "search domain" issue.
> * I tried Joshua's suggestion of openresolv, and it's got exactly what I want, and happily prepends the domain to resolv.conf... until the VPN (GlobalProtect) steps on it.
Well, crap. So my next question was going to be, "are you actually using GlobalProtect per se
or are you (can you?) use OpenConnect? Because I bet we could just hook OpenConnect into resolvconf
if it doesn't already have a hook..."; but then you went ahead and answered that...:
> I *think* I'd be able to make it work through OpenConnect, except that it seems OpenConnect
> isn't doing MFA (at least, with the GlobalProtect?) Nutshell: clearly, it's time for
> a self-written inotify daemon and call it a day.
> Because it's stupid easy to prepend a line with my domain name every time the file changes,
> whereas I'm gettin' old trying to figure this out through a more elegant mechanism.
Ha! An inotify monitor actually seems like a pretty elegant solution to me!
(though maybe I should point out that I got some of my aesthetic sense
from growing up watching The Red Green Show...).
The only other option that comes to mind for me is "figure out how to just block writes from the GlobalProtect process"
(I'm guessing GlobalProtect is running as root, but you could use an SELinux or AppArmor policy
or something to deal with that?).
Watch out for the `inotify-handler writes and re-triggers itself resulting in an infinitely-long "search" line' problem,
obviously? :)
--
Connect with me on the GNU social network! <https://status.hackerposse.com/rozzin>
Not on the network? Ask me for more info!
More information about the gnhlug-discuss
mailing list