Strange resolv.conf files in /etc

Hi again.

I have these lines in my /etc/resolv.conf file:

search site
nameserver 8.8.8.8
nameserver 8.8.4.4

I think they’re Google’s DNS servers, and I have them because, when first installing openSUSE 12.1 x86_64 with GNOME 3.2, Software Manager, openSUSE’s main site and a few other ones took way too much to load, and adding these DNS solved the issues.

But now I realize I have many strange (ghost?) resolv.conf files as shown in the picture:
SUSE Paste
Some of them even having a cross, which probably means they cannot be modified or deleted unless logged as root or something…

Why do I have those ugly files?

Also, I heard rumors about a DNS changer trojan and the shutting down of thousands of servers this July 9th. Is it all true? Are these nameservers in my file at risk?
I suspect this is not totally true, but I wanted an opinion…

Thanks for all your help.

On 07/07/2012 06:46 AM, F style wrote:

>
> nameserver 8.8.8.8
> nameserver 8.8.4.4

just like mine, perfect!

>
> adding these DNS solved the issues.

yes, but i wonder if you remember (or can find) how those lines got
added…that is, did you directly edit that file, or did you make the
changes in (for example) YaST or Network Manager or ??

i ask because (keep reading)

> ‘SUSE Paste’ (http://paste.opensuse.org/98398064)
> Some of them even having a cross, which probably means they cannot be
> modified or deleted unless logged as root or something…
>
> Why do I have those ugly files?

i think you have those files because of the way you added the Google
DNSs to you system–and i think you used YaST or some other tool to do
it indirectly…i say that because it seems that what you are seeing
is a series of old files saved as a result of newly created resolv.conf

that is, instead of making a new file and backing up the old one as (for
example) resolv.conf-backup01 then the next resolv.conf-backup02 and
resolv.conf-backup03 etc etc…whatever is making the new files is
adding a random suffix…

but, i do not know what is making a new file or why–what i do know is
that i directly edited my resolv.conf and removed the line in it which
had said “### Please remove (at least) this line when you modify the
file!” and i do not have random suffix old files like yours, see:


denverd@linux:~> ls -hal /etc/resolv.con*
-rw-r--r-- 1 root root 950 May 24 21:23 /etc/resolv.conf
-rw-r--r-- 1 root root 849 Sep 20  2011 /etc/resolv.conf~
-rw-r--r-- 1 root root 840 Aug 12  2011 /etc/resolv.conf.bak
-rw-r--r-- 1 root root 840 Jul  7 05:00 /etc/resolv.conf.netconfig
denverd@linux:~>

at any rate they take VERY little space and i wouldn’t delete them or
worry about them…but if you decide to do either be careful and don’t
delete resolv.conf (hmmmmm, though it might be regenerated on next
boot…i don’t know, and wouldn’t take the chance to find out)…

and, though i’m not sure why some of the icons have an X and some don’t,
i do not believe any can be removed without root powers…

> Also, I heard rumors about a DNS changer trojan and the shutting down
> of thousands of servers this July 9th. Is it all true? Are these
> nameservers in my file at risk?
> I suspect this is not totally true, but I wanted an opinion…

what you wrote is partially true:

-there is/was(?) a windows trojan that changed which DNS servers the
infected system pointed at…

-if you had been ‘infected’ your resolv.conf would not contain the
google DNS servers…

-the google servers are NOT at risk–check your machine now at:
http://www.dns-ok.us/ (use the link at the bottom of that page to learn
more than you need to know)

-the part that is not true is “the shutting down of thousands of servers
this July 9th”: what will be shut down on 9 July are the few DNS servers
set up and operated by the FBI at the IPs which the trojan was sending
unsuspecting Windows users to…

so, when the FBI shuts down those servers (and the crooks servers can’t
be contacted) all of those folks (estimated to be 45k+ in the USA alone)
will be off the net…

if the above link is not enough info, see:
https://www.google.com/search?q=DNS+trojan+FBI


dd

Please, simply show the output of

ls -l /etc/resolv*

and not those GUI windows.

On 2012-07-07 06:46, F style wrote:

> But now I realize I have many strange (ghost?) resolv.conf files as
> shown in the picture:
> ‘SUSE Paste’ (http://paste.opensuse.org/98398064)
> Some of them even having a cross, which probably means they cannot be
> modified or deleted unless logged as root or something…
>
> Why do I have those ugly files?

First, they are a non-issue. No problem at all to you, just delete them
with a clear conscience if you want to reclaim that visual space :slight_smile:

As they don’t have the correct name, they are not used for anything, no
security issue.

Why are they there?

Probably because a configuration program uses a temporary name for changes,
applies them and then forgets removing the temporary file (a bug) or fails
to apply the change and leaves the file there (a bug). Having a look at the
files and the dates might tell you who is the culprit - I vote for network
manager.

If you find that out, fill a bugzilla.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Here’s something to try:

1: logout from your desktop.
2: Use CTRL-ALT-F1 to get a virtual console session.
3: login as root (at the virtual console).

cd /etc

rm resolv.conf*

shutdown -r now

That should clean up the files, and reboot. It will probably stop your problem from repeating. However, if you find that you don’t have a reliable DNS server after reboot, you might have to add back those google servers. And possibly the “problem” will then start all over.

Am 07.07.2012 16:06, schrieb nrickert:
> # rm resolv.conf*

Honestly I would not use that since it will delete the resolv.conf as
well. I would use


su -c "rm /etc/resolv.conf.*"


PC: oS 12.1 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.4 | GeForce GT 420
ThinkPad E320: oS 12.1 x86_64 | i3@2.30GHz | 8GB | KDE 4.8.4 | HD 3000
eCAFE 800: oS 12.1 i586 | AMD Geode LX 800@500MHz | 512MB | KDE 3.5.10

I added the lines by directly editing resolv.conf file with Gedit.
Regarding the DNS changer, I clicked the link you mentioned and got a green light, though I don’t live in USA anyway, so I wonder if it was worth…
I did some reading too, but anyway, call me paranoid if you want (I’m not so old in age…) but I hope that dns-ok link wasn’t kind of a government hidden spying strategy…

Thanks for your help.

While traveling, last summer, I had DNS woes with the hotel WiFi, so I entered the google DNS servers.

Later, back at home, I discovered that I was still using the google DNS servers.

It seems that the DHCP client was recognizing that “resolv.conf” had been manually edited, and was refusing to update it.

It looks to me as if the OP has the same problem. Deleting all “resolv.conf*” files and then rebooting will allow the DHCP client to start over anew.

On 07/07/2012 12:06 PM, F style wrote:
>
> dd@home.dk;2473111 Wrote:
>> On 07/07/2012 06:46 AM, F style wrote:
> > denverd@linux:~> ls -hal /etc/resolv.con*
> > -rw-r–r-- 1 root root 950 May 24 21:23 /etc/resolv.conf
> > -rw-r–r-- 1 root root 849 Sep 20 2011 /etc/resolv.conf~
> > -rw-r–r-- 1 root root 840 Aug 12 2011 /etc/resolv.conf.bak
> > -rw-r–r-- 1 root root 840 Jul 7 05:00 /etc/resolv.conf.netconfig
> > denverd@linux:~>

The version that ends with the tilde (~), and the one that ends with .bak are
backup files saved by two different editors. The one that ends in .netconfig is
one that was created by openSUSE; however, they will never overwrite your copy
if you have changed it. Your system is fine.

> I did some reading too, but anyway, call me paranoid if you want (I’m
> not so old in age…) but I hope that dns-ok link wasn’t kind of a
> government hidden spying strategy…

You are being too paranoid. This site is not owned by any government, but was
apparently established by an individual to provide a service. The whois info for
the site is


Domain Name:                                 DNS-OK.US
Domain ID:                                   D34989020-US
Sponsoring Registrar:                        TUCOWS.COM CO.
Registrar URL (registration services):       whois.opensrs.org
Domain Status:                               ok
Registrant ID:                               TUPI0X2BFXO1CUI4
Registrant Name:                             Paul or Victoria Vixie
Registrant Organization:                     Vixie Freehold
Registrant Address1:                         11400 La Honda Road
Registrant City:                             Woodside
Registrant State/Province:                   CA
Registrant Postal Code:                      94062
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6504231383
Registrant Email:                            paul@redbarn.org
Registrant Application Purpose:              P4
Registrant Nexus Category:                   C11

So if it’s a particular one, couldn’t it be malicious?

On 07/07/2012 02:56 PM, F style wrote:
>
> So if it’s a particular one, couldn’t it be malicious?

You didn’t reference enough for me to know what you are asking about.

Yes, anything could be malicious; however, the DNS servers at 8.8.8.8 and
8.8.4.4 are OK. I trust Google.

On 2012-07-07 20:26, nrickert wrote:
> It looks to me as if the OP has the same problem. Deleting all
> “resolv.conf*” files and then rebooting will allow the DHCP client to
> start over anew.

His system is not exhibiting any problem, except a few extra files.

He is using a resolv.conf that he edited himself time ago to solve a
problem; if he deletes that he will have problems again.

The rest of the files do nothing except taking up space.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I was talking about that dns-ok link, even with the whois info…

On 2012-07-08 00:16, F style wrote:

> I was talking about that dns-ok link, even with the whois info…

You can use this one instead:

here


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

F style wrote:
> lwfinger;2473219 Wrote:
>> On 07/07/2012 02:56 PM, F style wrote:
>>> So if it’s a particular one, couldn’t it be malicious?
>> You didn’t reference enough for me to know what you are asking about.
>>
>> Yes, anything could be malicious; however, the DNS servers at 8.8.8.8
>> and
>> 8.8.4.4 are OK. I trust Google.
>
> I was talking about that dns-ok link, even with the whois info…

Do you not know who Paul Vixie is? Google him.

Gedit might be creating the extra files as backup.