Network Manager / CentOS 7 / Local Unbound

Home » CentOS » Network Manager / CentOS 7 / Local Unbound
CentOS 8 Comments

Hello list –

That says it works for CentOS 5 and I *suspect* the methods there (3
listed) would work, but what is the best way with NetworkManager to set it up to use the localhost for DNS ?

I’m paranoid about DNS spoofing and really prefer to have a local instance of DNSSEC enforcing unbound running on my CentOS 7 virtual machines (e.g. linode)

Currently I just use a cron job that runs once a minute to over-write was it is /etc/resolv.conf so they don’t use the DHCP assigned nameservers, but that does leave a short window every time the network is restarted.

I’d like to know the proper way to set up Network Manager to just create

nameserver ::1

in /etc/resolv.conf

Via google, it seems every distro approaches it differently and most instructions I have seen involve a GUI.

I did not see how to do it in the CentOS documentation but it might be there and I just did not figure out how to search it for what I wanted.

Those stackexchange methods look like they might work but they reference CentOS 5 and I know some NetworkManager stuff changed even just between
7.2 and 7.3 as I experienced incorrect IPv6 address after update as a result of those changes.

Is there an “official” way to tell NetworkManager what I want in
/etc/resolv.conf ? Or better yet, a way to just tell it to leave that file alone?

8 thoughts on - Network Manager / CentOS 7 / Local Unbound

  • From the man page that does tell it not to mess with /etc/resolv.conf –
    thank you. That will work.


  • Hello, I think another option should be to put this inside ifcfg-xxx of the involved network adapter:


    So that it will not accept dns server eventually proposed by the dhcp server

  • Use nmtui to manually configure the the interface AND nameservers. That puts the correct info in the ifcfg files. Nmtui is a curses UI. Just don’t foret to specify the interface ip-address with the right netmask
    (e.g., default seems to e a /32, I have been bitten by that a numer of times)


  • Besides the suggested configs, if still worried you could set up an inotify watch on /etc/resolv.conf to let you know, or take action, whenever it changes.


  • I think configuring NetworkManager not to touch it is the right solution.

    Unless there are cases where NetworkManager ignores its configuration but I haven’t seen those.

    A fancier solution might be to have some kind of systemd script that rewrites it if and only if the unbound daemon has successfully started and I thought about looking in to doing that, but that means if the unbound daemon for some reason doesn’t start, it would be using the less secure ISP provided DNS resolution and I’d rather have it fail so I know there’s a problem and can investigate.

  • Across comments, there are actually more than 3 solutions. The shortest and simplest solution is to add one line containing
    “dns=none” to the [main] section of
    /etc/NetworkManager/NetworkManager.conf. Doing so will instruct NetworkManager not to update the resolv.conf file.