[klapatsibalo]

> A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

So you essentially block any program trying to write it?

[tinus_hn]

Yes. There’s software, like dhcp clients, that has claimed the right to automatically edit this without leaving a trace. It’s really hard to turn off, it’s easier to just ban this behavior categorically, if your use case is not the one in which this behavior is useful.

[octoberfranklin]

This. I find it inexcusable that the Debian udhcpc package still does not provide any configuration option to inhibit it from overwriting /etc/resolv.conf.

The only option is to replace the "execute this when DHCP reply is recieved" script, which is not a simple script at all. And then you're stuck three-way-merging your changes to that script with every security update.