Changing the write permissions could be only a temporary fix, depending on your situation.
My old firewall suddenly began experiencing a very similar issue. When AT&T took away my static IP (weenors), I had to run a DHCP client on my external interface. Then, every so often, my resolv.conf was overwritten. Chmod 000 was one of the first things I tried, but a permissions problem on resolv.conf can break connectivity under DHCP, so dhclient will change the permissions if required. The irregular intervals slowed my ability to diagnose the cause.
To make a short story longer, I couldn't stop it, so root ran a cronjob every five minutes to check the file and recreate it anytime it didn't contain the line I wanted. I figured that was a lazy way to do it, but I didn't know if dhclient has an option to leave resolv.conf alone, and I knew it's probably not a good idea to try.
Since I replaced the machine, I've been meaning to build the thing into a spare Linux box, but I've proven too lazy thus far, so I still have the script. Here's the first version, if it helps anyone:
Code:
#!/bin/ksh
#------------------------------------------------------------------------------
# lookupdate - 2003031902
# update resolv.conf for quick resolution of local boxen
#------------------------------------------------------------------------------
# establish variables and check for files existing, etc...
PATH=$PATH:/usr/bin:/bin
cd /etc
ORIG=${1:-resolv.conf}
ISBORKED=`grep lookup $ORIG`
#------------------------------------------------------------------------------
# run it
if [ "$ISBORKED" = "" ]
then
NOW=`date +"%Y%m%d%H%M%S"`
NEW=$ORIG".tempworking"
cp $ORIG $ORIG.$NOW
echo "lookup file bind" > $NEW
cat $ORIG >> $NEW
mv $NEW $ORIG
fi
Pretty basic, it doesn't even verify that the file exists. But if your resolv.conf is missing, you've got bigger issues anyway ;)
I copied the old file into the new, because of the frequency with which AT&T rearchitected their cable modem network and changed DNS servers. I wanted to keep the original file, so I renamed it with a timestamp, guaranteeing a traceable history. Of course, I knew I'd be looking at a ton of files soon, so I wrote v.2 (v.1.1?) that removed old copies. Changes to the variables section included:
Code:
LOGFILE=${2:-resolv.conf.log}
THRESH=14000000
The rest is simple enough; a subroutine checked each filename against $THRESH then passed or removed it. Any file older than the threshold was deleted. The backups were always the same, but they were small, so I played it safe and eventually settled on two weeks. Even safer (but probably overkill) was the logging of filenames and sizes as they were deleted. And no, that's not two weeks in seconds, but it's two weeks when you do the arithmetic on the timestamp.
Here are the files that existed when I decommissioned the fw. Note that it happened two times on Nov 2, only 40 minutes apart, then it didn't again for exactly 48 hours. Nice.
Code:
-rw-r--r-- 1 root 85 Nov 11 14:40 resolv.conf
-rw-r--r-- 1 root 68 Oct 28 18:00 resolv.conf.20031028180001
-rw-r--r-- 1 root 68 Oct 30 18:00 resolv.conf.20031030180001
-rw-r--r-- 1 root 68 Nov 2 09:10 resolv.conf.20031102091001
-rw-r--r-- 1 root 68 Nov 2 09:50 resolv.conf.20031102095002
-rw-r--r-- 1 root 68 Nov 4 09:50 resolv.conf.20031104095001
-rw-r--r-- 1 root 68 Nov 6 07:40 resolv.conf.20031106074001
-rw-r--r-- 1 root 68 Nov 8 07:40 resolv.conf.20031108074001
-rw-r--r-- 1 root 68 Nov 9 14:40 resolv.conf.20031109144002
-rw-r--r-- 1 root 68 Nov 10 09:10 resolv.conf.20031110091001
-rw-r--r-- 1 root 68 Nov 11 14:40 resolv.conf.20031111144001
-rw-r--r-- 1 root 3030 Nov 10 09:10 resolv.conf.log
And an excerpt from the log:
20031012004001 68
20031012191001 68
20031014190002 68
20031016190001 68
20031018190001 68
20031020190002 68
20031022190001 68
20031024190001 68
20031026180001 68
Hope your solution proves to be simpler than mine, but if not, feel free to use the script.