On 2023-02-24 10:27, tomas@tuxteam.de wrote:
On Fri, Feb 24, 2023 at 10:19:38AM +0100, davenull@tuxfamily.org wrote: [...]However, I didn't notice any vnpc_script malfunction. It does what it isexpected to do. I'm like 99% sure the problem is dhclient deleting and recreating /etc/resolv.conf as it sees fit, multiple times a day, and deleting whatever vpnc_script has put in that file.Instead of 99% suspicions you could just look into your /var/log/syslog:dhclient does leave enough traces there. Bonus point if you correlate these timestamps with your resolv.conf mod time :-) Cheers
Goode point. Thank you for the reminder :) I do only partial week remote work, been in the office the last days.So in order for the problem to happen again, I need to wait monday, only then I might dig into the log files.
The thing is: at first, I didn't suspect dhclient until recently (after I started this thread) so I need to wait for the next remote work day. During my last days of remote work, I just used auditd to see if I can see process name when the file is deleted/recreated. The event was captured by auditd but the process name was missing from the audit.log file, so I had no idea what's to look for., in which log file(s).
I'm still sure it isn't vpnc_script. vpnc_script leaves identification comments on the file And dhclient is more like to know only about what my home's DHCP tells it, than my work's place DNS resolver, that's why I suspect dhclient. BUT I will make sure to take some time to dig into the logs monday. Now that I have an idea what I'm looking for, totally agree logs are better than suspicion