Date: Sun, 20 Feb 2022 15:48:10 +0000 From: Steve Kirk <steve@unixnation.net> To: questions@freebsd.org Subject: Re: local-unbound in a jail Message-ID: <d5ca0c5f-9d55-d35b-f3b7-eb1922d0064b@unixnation.net> In-Reply-To: <6210F223.6080900@gmail.com> References: <dfca984d-95e5-a0e7-3f2e-da0a9925dce8@unixnation.net> <20220219100417.925196fc031684c78cdc8d9f@sohara.org> <6210F223.6080900@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/02/2022 13:35, Ernie Luzar wrote: > Steve O'Hara-Smith wrote: >> On Fri, 18 Feb 2022 17:02:45 +0000 >> Steve Kirk <steve@unixnation.net> wrote: >> >>> Afternoon all, >>> >>> I suspect that I know the answer to this question, however... I have >>> tried to run local-unbound in a jail (as I intend to run rspamd in >>> said jail) but it seems like it doesn't play nicely because there's >>> no loopback address *inside* the jail which is the only interface >>> this service is designed to work with. >> >> Setting up a cloned loopback on lo1 etc for jails is common >> practice, does that not work for local unbound ? Not "out of the box", no. I have added the cloned loopback to rc.conf and an interface is generated in the jail. However I don't think that is the issue with local unbound. >> >> The technique is described under ezjail in the handbook but it can >> be used without using ezjail. >> > > The alternate more common method is to change the config file of the > software that is looking for loopback by giving it the jails ip address > to use as loopback ip address. > I've just quickly created a test jail and it does listen on the IP assigned to the jail by default but does not permit queries from the jail IP by default. I can add a config fragment to /var/unbound/conf.d to resolve that. The other issue is that the local-unbound-setup script is called if /var/unbound/unbound.conf doesn't exist (e.g. on first startup); the setup script modifies resolvconf and is hardcoded to add 'nameserver 127.0.0.1' to resolv.conf and leave it as the only uncommented entry. Again very easy to change the IP in resolv.conf but these modifications make me think that local-unbound wasn't really intended for use in NAT jails and I'm storing up trouble for the future. Thanks for the replies; I think it's best installing a DNS server from ports in this case. Cheers, Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5ca0c5f-9d55-d35b-f3b7-eb1922d0064b>