Date: Tue, 6 Feb 2018 11:17:59 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-questions@harte-lyne.ca Subject: Re: FreeBSD jails, dns and ping Message-ID: <ae6bcd172868583d65438c3cd33285fe.squirrel@webmail.harte-lyne.ca> In-Reply-To: <mailman.5031.1517909966.1562.freebsd-questions@freebsd.org> References: <mailman.5031.1517909966.1562.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, February 5, 2018 18:07, Adam Vande More wrote:
> On Mon, Feb 5, 2018 at 3:56 PM, James B. Byrne <byrnejb@harte-lyne.ca>
> wrote:
>
>>
>> On Mon, February 5, 2018 16:38, Adam Vande More wrote:
>> > On Mon, Feb 5, 2018 at 3:18 PM, James B. Byrne via
>> freebsd-questions <
>> > freebsd-questions@freebsd.org> wrote:
>> >
>> >> Can anyone explain what is causing this particular inconsistency?
>> >> Unbound can resolve the address but ping cannot?
>> >>
>> >
>> > What is inconsistent about that? Just because something has a
>> valid DNS entry doesn't imply it will respond to ping.
>>
>> What is inconsistent is that ping will not resolve the address but
>> drill will. The only nameserver defined in /etc/resolv.conf is
>> 127.0.0.1. We never get to the point of determining if the target
>> replies to the ping.
>>
>> >
>> > Also pkg uses SRV records, it's been discussed here before.
>> >
>>
>> pkg.freebsd.org happens to be the domain that I used to test whether
>> or not ping could resolve. I get the same results irrespective of
>> the domain used.
>>
>
> You have included an trailing . in the ping command.
>
The presence or absence of the trailing dot does not change the
behaviour. And if it did then it would be a bug since . is the root
DNS entry. It is simply a programming convention to ignore its absence
since it must be present in all fully qualified domain names and,
outside of zone files, is effectively a constant value.
[root@hll107 ~]# ping sendmail.com
ping: cannot resolve sendmail.com: Host name lookup failure
[root@hll107 ~]# drill sendmail.com
;; ANSWER SECTION:
sendmail.com. 3235 IN A 192.230.74.135
sendmail.com. 3235 IN A 192.230.66.135
;; AUTHORITY SECTION:
sendmail.com. 109408 IN NS pdns99.ultradns.biz.
sendmail.com. 109408 IN NS pdns99.ultradns.org.
sendmail.com. 109408 IN NS ns1.proofpoint.com.
sendmail.com. 109408 IN NS pdns99.ultradns.net.
sendmail.com. 109408 IN NS ns3.proofpoint.com.
sendmail.com. 109408 IN NS pdns99.ultradns.com.
;; ADDITIONAL SECTION:
ns1.proofpoint.com. 103180 IN A 208.84.67.208
ns1.proofpoint.com. 103180 IN AAAA 2620:100:9000:1::d0
ns3.proofpoint.com. 103180 IN A 208.84.66.208
ns3.proofpoint.com. 103180 IN AAAA 2620:100:9004:1::d0
pdns99.ultradns.com. 103180 IN A 156.154.64.99
pdns99.ultradns.com. 103180 IN AAAA 2001:502:f3ff::87
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Feb 6 10:09:44 2018
;; MSG SIZE rcvd: 370
[root@hll107 ~]#
QED
[root@inet19 ~]# ping sendmail.com
PING sendmail.com (192.230.66.135): 56 data bytes
64 bytes from 192.230.66.135: icmp_seq=0 ttl=53 time=51.918 ms
[root@inet19 ~]# ping sendmail.com.
PING sendmail.com (192.230.66.135): 56 data bytes
64 bytes from 192.230.66.135: icmp_seq=0 ttl=53 time=51.988 ms
The problem is with the jail setup. Specifically, with
/etc/resolv.conf. I created another jail on the same host and it did
not exhibit this problem. I then destroyed hll107 and recreated it.
I ran service local_unbound onestart from hll107's console which built
the default setup configuration. I then tried to ping an outside
address. It worked..
The next step I took revealed the source of the problem but not its
cause. We host our own delegated DNS. When I configured
/etc/resolv.conf on hll107 to this:
search hamilton.harte-lyne.ca harte-lyne.ca
nameserver 127.0.0.1
The problem returned.
If instead I configured hll107:/etc/resolv.conf to this:
search hamilton.harte-lyne.ca harte-lyne.ca
nameserver 127.0.107.1
Then ping worked on hll107. The ip_addr 127.0.107.1 is configured on
the host system as lo2:
# Cloned i/f and assigned ipv4 addr for jails
cloned_interfaces="lo1 lo2 lo3" # For shared jail configuration
ipv4_addrs_lo1="127.0.100.1/32"
ipv4_addrs_lo2="127.0.107.1/32"
ipv4_addrs_lo3="127.0.109.1/32"
And the jail network is configured like this:
export jail_hll107_hostname="hll107.hamilton.harte-lyne.ca"
export jail_hll107_ip="lo2|127.0.107.1,vtnet0|192.168.216.107"
Note that local_unbound worked with both resolv.conf settings. But
both ping and pkg gave me grief with the first and worked with the
second.
My understanding, admittedly perfunctory, has been that one is
SUPPOSED to use 127.0.0.1 inside a jail wherever the standard loopback
address is required. And that the jail system takes care of remapping
127.0.0.1 to whatever address is assigned to the loopback interface
that the jail is configured to use.
What have I misunderstood? Had I misconfigured something that is
documented otherwise than what I had done?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ae6bcd172868583d65438c3cd33285fe.squirrel>