From nobody Sun Feb 20 15:48:10 2022 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5F9DF19DCDEB for ; Sun, 20 Feb 2022 15:48:26 +0000 (UTC) (envelope-from steve@unixnation.net) Received: from mx-hel1-2.unixnation.net (mx-hel1-2.unixnation.net [95.216.167.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4K1qbF0Zf3z3jfm for ; Sun, 20 Feb 2022 15:48:24 +0000 (UTC) (envelope-from steve@unixnation.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unixnation.net; s=20200419; t=1645372095; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bKniSmv4Rg5Sm9iXI7ANQENvieMxZ2A5GleRSA0SoxY=; b=h2y3F2orazNjZS49dE6dsDXxU/4YFILiWkP/AWlwzdFneKLbvGNPs/qdG8fdEtOPwN50+L kN4R2q+KL5GzI68K1RqsKttIPrXiIyzA2z20oRTqndmbBxy0BQ2blCwIcEjAMGFUPEgqNl 2Lo+s064Xjnz9KJVhxHtXGF7tiLFLaU= Received: from [192.168.1.4] (47.181.90.146.dyn.plus.net [146.90.181.47]) by mx-hel1-2.unixnation.net (OpenSMTPD) with ESMTPSA id dbdc7868 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Sun, 20 Feb 2022 15:48:15 +0000 (GMT) Message-ID: Date: Sun, 20 Feb 2022 15:48:10 +0000 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 From: Steve Kirk Subject: Re: local-unbound in a jail Content-Language: en-GB To: questions@freebsd.org References: <20220219100417.925196fc031684c78cdc8d9f@sohara.org> <6210F223.6080900@gmail.com> Organization: Unixnation In-Reply-To: <6210F223.6080900@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4K1qbF0Zf3z3jfm X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=unixnation.net header.s=20200419 header.b=h2y3F2or; dmarc=pass (policy=quarantine) header.from=unixnation.net; spf=pass (mx1.freebsd.org: domain of steve@unixnation.net designates 95.216.167.180 as permitted sender) smtp.mailfrom=steve@unixnation.net X-Spamd-Result: default: False [-4.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[unixnation.net:s=20200419]; FREEFALL_USER(0.00)[steve]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx]; DKIM_TRACE(0.00)[unixnation.net:+]; DMARC_POLICY_ALLOW(-0.50)[unixnation.net,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[questions]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:95.216.0.0/16, country:DE]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[146.90.181.47:received] X-ThisMailContainsUnwantedMimeParts: N On 19/02/2022 13:35, Ernie Luzar wrote: > Steve O'Hara-Smith wrote: >> On Fri, 18 Feb 2022 17:02:45 +0000 >> Steve Kirk wrote: >> >>> Afternoon all, >>> >>> I suspect that I know the answer to this question, however... I have >>> tried to run local-unbound in a jail (as I intend to run rspamd in >>> said jail) but it seems like it doesn't play nicely because there's >>> no loopback address *inside* the jail which is the only interface >>> this service is designed to work with. >> >>     Setting up a cloned loopback on lo1 etc for jails is common >> practice, does that not work for local unbound ? Not "out of the box", no. I have added the cloned loopback to rc.conf and an interface is generated in the jail. However I don't think that is the issue with local unbound. >> >>     The technique is described under ezjail in the handbook but it can >> be used without using ezjail. >> > > The alternate more common method is to change the config file of the > software that is looking for loopback by giving it the jails ip address > to use as loopback ip address. > I've just quickly created a test jail and it does listen on the IP assigned to the jail by default but does not permit queries from the jail IP by default. I can add a config fragment to /var/unbound/conf.d to resolve that. The other issue is that the local-unbound-setup script is called if /var/unbound/unbound.conf doesn't exist (e.g. on first startup); the setup script modifies resolvconf and is hardcoded to add 'nameserver 127.0.0.1' to resolv.conf and leave it as the only uncommented entry. Again very easy to change the IP in resolv.conf but these modifications make me think that local-unbound wasn't really intended for use in NAT jails and I'm storing up trouble for the future. Thanks for the replies; I think it's best installing a DNS server from ports in this case. Cheers, Steve