starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-26 17:25:52 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #73] mistaken resolvconf.service #32

New issue
Closed
opened 2026-03-03 13:58:32 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 13:58:32 +03:00
Owner
Copy link

Originally created by @hellresistor on GitHub (Jun 7, 2020).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/73

Get this:

[7] Systemd/resolved.conf
Unit resolvconf.service could not be found.
Originally created by @hellresistor on GitHub (Jun 7, 2020). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/73 Get this: ``` [7] Systemd/resolved.conf Unit resolvconf.service could not be found. ```
kerem closed this issue 2026-03-03 13:58:32 +03:00
kerem commented 2026-03-03 13:58:33 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jun 8, 2020):

Can you provide some logs and info about your system?

<!-- gh-comment-id:640406277 --> @konstruktoid commented on GitHub (Jun 8, 2020): Can you provide some logs and info about your system?
kerem commented 2026-03-03 13:58:33 +03:00
Author
Owner
Copy link

@hellresistor commented on GitHub (Jun 8, 2020):

how. i am running a basic ubuntu server 18 LTS into a VMware

CPU x4
RAM 2GB (maybe not much ?)
40GB scsi virtual

hardening-tester-200608.log

<!-- gh-comment-id:640766962 --> @hellresistor commented on GitHub (Jun 8, 2020): how. i am running a basic ubuntu server 18 LTS into a VMware CPU x4 RAM 2GB (maybe not much ?) 40GB scsi virtual [hardening-tester-200608.log](https://github.com/konstruktoid/hardening/files/4747546/hardening-tester-200608.log)
kerem commented 2026-03-03 13:58:33 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jun 8, 2020):

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic
tsj@bifrost:~$ stat /etc/systemd/resolved.conf 
  File: /etc/systemd/resolved.conf
  Size: 601             Blocks: 8          IO Block: 4096   regular file
Device: b302h/45826d    Inode: 67136       Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-06-08 19:21:50.150141468 +0000
Modify: 2018-04-20 16:55:56.000000000 +0000
Change: 2020-02-03 18:26:20.000000000 +0000
 Birth: -
~$ dpkg -S /etc/systemd/resolved.conf 
systemd: /etc/systemd/resolved.conf
~$ grep -v '^#' /etc/systemd/resolved.conf

[Resolve]
~$

Test script:

#!/bin/bash

RESOLVEDCONF='/etc/systemd/resolved.conf'

function f_resolvedconf {
  echo "[$SCRIPT_COUNT] Systemd/resolved.conf"

  local dnsarray
  local dnslist

  mapfile -t dnsarray < <( grep ^nameserver /etc/resolv.conf | sed 's/^nameserver\s//g' )
  dnslist=${dnsarray[*]}

  if [ ${#dnsarray[@]} -lt 2 ]; then
    dnslist="$dnslist 1.1.1.1"
  fi

  sed -i '/^nameserver/d' /etc/resolv.conf

  for n in $dnslist; do
    echo "nameserver $n" >> /etc/resolv.conf
  done

  sed -i "s/^#DNS=.*/DNS=$dnslist/" "$RESOLVEDCONF"
  sed -i "s/^#FallbackDNS=.*/FallbackDNS=1.0.0.1/" "$RESOLVEDCONF"
  sed -i "s/^#DNSSEC=.*/DNSSEC=allow-downgrade/" "$RESOLVEDCONF"
  sed -i "s/^#DNSOverTLS=.*/DNSOverTLS=opportunistic/" "$RESOLVEDCONF"

  sed -i '/^hosts:/ s/files dns/files resolve dns/' /etc/nsswitch.conf

  systemctl daemon-reload

  if [[ $VERBOSE == "Y" ]]; then
    systemctl status resolvconf.service --no-pager
    echo
  fi

  ((SCRIPT_COUNT++))
}

f_resolvedconf
~$ grep -v '^#' /etc/systemd/resolved.conf

[Resolve]
DNS= 1.1.1.1
FallbackDNS=1.0.0.1
DNSSEC=allow-downgrade
<!-- gh-comment-id:640831475 --> @konstruktoid commented on GitHub (Jun 8, 2020): ``` ~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionic tsj@bifrost:~$ stat /etc/systemd/resolved.conf File: /etc/systemd/resolved.conf Size: 601 Blocks: 8 IO Block: 4096 regular file Device: b302h/45826d Inode: 67136 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-06-08 19:21:50.150141468 +0000 Modify: 2018-04-20 16:55:56.000000000 +0000 Change: 2020-02-03 18:26:20.000000000 +0000 Birth: - ~$ dpkg -S /etc/systemd/resolved.conf systemd: /etc/systemd/resolved.conf ~$ grep -v '^#' /etc/systemd/resolved.conf [Resolve] ~$ ``` Test script: ``` #!/bin/bash RESOLVEDCONF='/etc/systemd/resolved.conf' function f_resolvedconf { echo "[$SCRIPT_COUNT] Systemd/resolved.conf" local dnsarray local dnslist mapfile -t dnsarray < <( grep ^nameserver /etc/resolv.conf | sed 's/^nameserver\s//g' ) dnslist=${dnsarray[*]} if [ ${#dnsarray[@]} -lt 2 ]; then dnslist="$dnslist 1.1.1.1" fi sed -i '/^nameserver/d' /etc/resolv.conf for n in $dnslist; do echo "nameserver $n" >> /etc/resolv.conf done sed -i "s/^#DNS=.*/DNS=$dnslist/" "$RESOLVEDCONF" sed -i "s/^#FallbackDNS=.*/FallbackDNS=1.0.0.1/" "$RESOLVEDCONF" sed -i "s/^#DNSSEC=.*/DNSSEC=allow-downgrade/" "$RESOLVEDCONF" sed -i "s/^#DNSOverTLS=.*/DNSOverTLS=opportunistic/" "$RESOLVEDCONF" sed -i '/^hosts:/ s/files dns/files resolve dns/' /etc/nsswitch.conf systemctl daemon-reload if [[ $VERBOSE == "Y" ]]; then systemctl status resolvconf.service --no-pager echo fi ((SCRIPT_COUNT++)) } f_resolvedconf ~$ grep -v '^#' /etc/systemd/resolved.conf [Resolve] DNS= 1.1.1.1 FallbackDNS=1.0.0.1 DNSSEC=allow-downgrade ```
kerem commented 2026-03-03 13:58:33 +03:00
Author
Owner
Copy link

@hellresistor commented on GitHub (Jun 8, 2020):

Result:

tester:~$ sudo bash test.sh
[sudo] password for tester:
[] Systemd/resolved.conf
tester:~$ grep -v '^#' /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.0.53 1.1.1.1
FallbackDNS=1.0.0.1
DNSSEC=allow-downgrade
<!-- gh-comment-id:640849440 --> @hellresistor commented on GitHub (Jun 8, 2020): Result: ``` tester:~$ sudo bash test.sh [sudo] password for tester: [] Systemd/resolved.conf tester:~$ grep -v '^#' /etc/systemd/resolved.conf [Resolve] DNS=127.0.0.53 1.1.1.1 FallbackDNS=1.0.0.1 DNSSEC=allow-downgrade ```
kerem commented 2026-03-03 13:58:34 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jun 8, 2020):

So that file seemed to exist?

<!-- gh-comment-id:640850538 --> @konstruktoid commented on GitHub (Jun 8, 2020): So that file seemed to exist?
kerem commented 2026-03-03 13:58:34 +03:00
Author
Owner
Copy link

@hellresistor commented on GitHub (Jun 8, 2020):

Yes! both files. resolve.conf and resolved.conf into directories respectively.

The log file don't have all data registered have clear line instead info

<!-- gh-comment-id:640854346 --> @hellresistor commented on GitHub (Jun 8, 2020): Yes! both files. resolve.conf and resolved.conf into directories respectively. The log file don't have all data registered have clear line instead info
kerem commented 2026-03-03 13:58:34 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jun 8, 2020):

Thanks for reporting this @hellresistor, I believe this is fixed with github.com/konstruktoid/hardening@117e27ff6a

<!-- gh-comment-id:640858975 --> @konstruktoid commented on GitHub (Jun 8, 2020): Thanks for reporting this @hellresistor, I believe this is fixed with https://github.com/konstruktoid/hardening/commit/117e27ff6a1b52844249426bad9bec0141908164
kerem commented 2026-03-03 13:58:34 +03:00
Author
Owner
Copy link

@hellresistor commented on GitHub (Jun 8, 2020):

I have Updated and Runned the command getting this output:

@tester:~$ sudo journalctl -r -n10 -u systemd-resolved --no-pager
-- Logs begin at Sun 2019-11-17 12:46:12 UTC, end at Mon 2020-06-08 20:16:51 UTC. --
Jun 08 19:23:04 tester systemd-resolved[867]: Positive Trust Anchors:
Jun 08 19:23:04 tester systemd[1]: Starting Network Name Resolution...
-- Reboot --
Jun 08 19:22:56 tester systemd[1]: Stopped Network Name Resolution.
Jun 08 19:22:56 tester systemd[1]: Stopping Network Name Resolution...
Jun 08 19:21:46 tester systemd-resolved[878]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question whois.arin.net IN A: failed-auxiliary
Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question whois.arin.net IN AAAA: failed-auxiliary
Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question 1.0.0.224.in-addr.arpa IN PTR: failed-auxiliary
Jun 08 19:21:08 tester systemd-resolved[878]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jun 08 19:20:34 tester systemd[1]: Started Network Name Resolution.
<!-- gh-comment-id:640862078 --> @hellresistor commented on GitHub (Jun 8, 2020): I have Updated and Runned the command getting this output: ``` @tester:~$ sudo journalctl -r -n10 -u systemd-resolved --no-pager -- Logs begin at Sun 2019-11-17 12:46:12 UTC, end at Mon 2020-06-08 20:16:51 UTC. -- Jun 08 19:23:04 tester systemd-resolved[867]: Positive Trust Anchors: Jun 08 19:23:04 tester systemd[1]: Starting Network Name Resolution... -- Reboot -- Jun 08 19:22:56 tester systemd[1]: Stopped Network Name Resolution. Jun 08 19:22:56 tester systemd[1]: Stopping Network Name Resolution... Jun 08 19:21:46 tester systemd-resolved[878]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question whois.arin.net IN A: failed-auxiliary Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question whois.arin.net IN AAAA: failed-auxiliary Jun 08 19:21:08 tester systemd-resolved[878]: DNSSEC validation failed for question 1.0.0.224.in-addr.arpa IN PTR: failed-auxiliary Jun 08 19:21:08 tester systemd-resolved[878]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. Jun 08 19:20:34 tester systemd[1]: Started Network Name Resolution. ```
kerem commented 2026-03-03 13:58:34 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jun 8, 2020):

Yeah, it's just verbose output of the systemd dns configuration so that's expected.

<!-- gh-comment-id:640865943 --> @konstruktoid commented on GitHub (Jun 8, 2020): Yeah, it's just verbose output of the systemd dns configuration so that's expected.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#32
No description provided.