BIND in jail problem
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Feb 14 14:40:08 PST 2009
On Sat, 14 Feb 2009, Anders Hagman wrote:
Hi,
I am inclined to say that something is not right with your setup and I
am not able to reproduce any of the symptoms on 7-STABLE pre-jail-MFC
but that's not going to help.
Those named inside jail things come up regularly and either end
without any results as people stop to reply or a pilot error quickly
identified. It might be hard to resolve the problem in mail or might
need lots of mails so I'd suggest to take your reply off-list, and
we'll post a summary with the results once things are solved.
> I'm trying to use BIND inside a jail and have passed the chroot
> problem and have a running named without chroot.
what does netstat -an | grep '\.53' say inside your jail?
> The problem is that the jail does not have the address 127.0.0.1 or does not
that's becoming a FAQ and later jail2 man pages say:
:: All connections to/from the loopback address (127.0.0.1 for IPv4, ::1
:: for IPv6) will be changed to be to/from the primary address of the jail
:: for the given address family.
so for your jail (I assume a stock 7.1-RELEASE) ignore the IPv6 part
and the "primary" part as there is only one IP (which is the primary
IP in that case).
> use the info in resolv.conf.
>
> When I use the host command I get:
>
> [root at ippbx1 ~]# host ippbx1
> ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53
>
> /etc/resolv.conf
> domain kalmar.se
> search kalmar.se
man resolv.conf says:
:: The domain and search keywords are mutually exclusive. If more than one
:: instance of these keywords is present, the last instance will override.
so you can remove the domain line.
> nameserver 127.0.0.1
>
> tcpdump:
> 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto
> UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1.
> (24)
>
> 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto
> UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail
> 0/0/0 (24
This looks fine from the IP point of view as if 172.16.101.3 is our
jail IP is correct.
> As you can see the destination address is 172.16.101.3 despite the name
> server address in resolv.conf. The host command does not add the domain as it
> should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se".
> The host command expects to get an answer from 127.0.0.1.
I am not yet sure where this comes from but if that's really a problem
change it to
nameserver 172.16.101.3
as this is what it is effectively anyway.
> Changing the nameserver address in resolv.conf to 172.16.101.3 does not
> change anything. Using the FQDN does not help because it's still the wrong
> expected address.
Now that does not make any sense. You changed the IP but it still
reporting the "reply from unexpected source: ... expected .."?
> The only thing that works is: host ippbx1.kalmar.se
> 172.16.101.3.
>
> Using ping give a different picture:
You enabled raw sockets for jails?
> [root at ippbx1 ~]# ping ippbx1
> ping: cannot resolve ippbx1: Host name lookup failure
>
> /etc/resolv.conf
> domain kalmar.se
> search kalmar.se
> nameserver 172.16.101.3
>
>
> tcpdump:
> 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto
> UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A?
> ippbx1.kalmar.se. (34)
> 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto
> ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53
> unreachable, length 36
>
>
> ping does add the domain to the query but does not read the address from
> resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0
> machine and does not run BIND.
I start wondering if you are editing the correct resolve.conf inside
the correct jail and run your commands inside the same jail?
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
More information about the freebsd-jail
mailing list