From owner-freebsd-questions@freebsd.org Mon Feb 29 18:10:46 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A0D1AB7B12 for ; Mon, 29 Feb 2016 18:10:46 +0000 (UTC) (envelope-from sergeig.public@gmail.com) Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 04FFCFCB for ; Mon, 29 Feb 2016 18:10:46 +0000 (UTC) (envelope-from sergeig.public@gmail.com) Received: by mail-vk0-x235.google.com with SMTP id c3so142386003vkb.3 for ; Mon, 29 Feb 2016 10:10:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=JdO/RL6qPrhIMW3XalH7epq/zmsP3a5f94ki/v0BSBs=; b=RKhJbUz+IHzKoevfooHGQJVPR3Esg9Ox3G9UnmZVRRKMgDx/4JMINdhWckmwf+uDQ2 XbWRH487YABO6j/652mMyy08EStQVYxRtfveDcGScBaH2ukdcBsJXHoH+TzK/6oTh59X sCYfHlFNgYYUDargX4VJOQ+VPm4qyT1LSMtXzDpHyH9Y29XtEqrQyf9oMB5YOr+vHzQi 4eMCkP+P/SUR0899ph5ATTz99tyoZ9nQC+TQt6CoxbdGeENiAuiesHwOEptHrMAtdjJ5 22KPwfMTTaBV6ck+zJpSyBc3y4BfqMb4CazE2AvCfL6Z44imFslYQV+E1zOzLJHdJ77W HPoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=JdO/RL6qPrhIMW3XalH7epq/zmsP3a5f94ki/v0BSBs=; b=FQ5TCMC8P661VzA0KVQHlnzG/lS03QPf5rZySctGaiGKMJRqdrq6LELzkA07T+YFze 1C+bUi/krXm4KdDUnqNRye/iB33KgLj7SP7tw16i+QfUiGRWzdMCEz/eAaW7S4E7gPHn ET7UVl9oFltyoVmrTD1s3bAQq0igrUAIieH6wB+MgLaJL3lq7HXTXw11SWrPO5Sl0VbG MLh/OdnBvYqS2mxe26DOms0+SfH87aVZ4Ikd/21hftL4jFSlMwn+P7S8ehU07HOC2SLq 18g3rUpyPhDVG5lCVmINXYYTuoAQAzYsU1S3LVg3ZgYOEHGpppeYWGQINs1PtVtqAeLs RCLQ== X-Gm-Message-State: AD7BkJIGk+xy1vhEzc3jLq5RI7G/NoDKD3xGQGYecCv27o8Y6OfkgxqcVdTqREkeRA4ONQaF8y08aJffYiHtbA== MIME-Version: 1.0 X-Received: by 10.31.170.196 with SMTP id t187mr12244240vke.66.1456769445048; Mon, 29 Feb 2016 10:10:45 -0800 (PST) Received: by 10.31.174.132 with HTTP; Mon, 29 Feb 2016 10:10:44 -0800 (PST) In-Reply-To: References: Date: Mon, 29 Feb 2016 10:10:44 -0800 Message-ID: Subject: Re: DNS with host works, but not with mysql or ping From: Sergei G To: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 18:10:46 -0000 It appears that host is suffering from the same problem: host yahoo.com yahoo.com has address 206.190.36.45 yahoo.com has address 98.138.253.109 yahoo.com has address 98.139.183.24 yahoo.com has IPv6 address 2001:4998:44:204::a7 yahoo.com has IPv6 address 2001:4998:58:c02::a9 yahoo.com has IPv6 address 2001:4998:c:a06::2:4008 yahoo.com mail is handled by 1 mta7.am0.yahoodns.net. yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. fetch http://206.190.36.45 (yahoo) times out On Mon, Feb 29, 2016 at 9:57 AM, Sergei G wrote: > If I use host command to resolve name to IP, then I get a correct IP. > > If I use ping, mysql, fetch commands, then DNS fails to resolve. I can't > quite figure out what the difference is. > > Jailed machine configuration: > > 1) issue is inside jailed system > 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10 > > Host machine: > 1) runs firewall > 2) runs local_unbind on all 53 ports > 3) runs nsd for private network on 1053 port. > > I am quite confused ATM. > > pfctl -sr Output on the host: > > No ALTQ support in kernel > ALTQ related functions disabled > scrub in all fragment reassemble > block drop in log on bce0 all > block return in log on bce0 proto tcp from any to any port = ssh > block drop in log (to pflog1) quick on bce0 proto tcp from any to any port > = mdns > block drop in log (to pflog1) quick on bce0 proto tcp from any to any port > = 17500 > block drop in log (to pflog1) quick on bce0 proto udp from any to any port > = mdns > block drop in log (to pflog1) quick on bce0 proto udp from any to any port > = 17500 > block drop in quick on bce0 proto udp from any to any port = netbios-ns > block drop in quick on bce0 proto udp from any to any port = netbios-dgm > block drop in quick on bce0 proto udp from any to any port = 1900 > block drop in quick on bce0 proto udp from any to any port = sunrpc > block drop in quick on bce0 proto tcp from any to any port = commplex-main > block drop in log (to pflog1) quick on bce0 proto igmp all > block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc to > any port = bootps > pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any > port = bootpc keep state > pass out quick on bce0 inet proto udp from any port = bootpc to 10.0.1.1 > port = bootps keep state > block drop in log (to pflog1) quick on bce0 inet6 all > pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = > domain flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = > ssh flags S/SA keep state > pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10 > port = domain flags S/SA keep state > pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http > flags S/SA keep state > pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https > flags S/SA keep state > pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth > flags S/SA keep state > pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 port = > ssh flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to > 10.0.1.10 flags S/SA keep state > pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port = > domain keep state > pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10 > port = domain keep state > pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10 > icmp-type echoreq keep state > pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 > port = domain flags S/SA keep state > pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 > port = 1053 flags S/SA keep state > pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 > port = domain keep state > pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 > port = 1053 keep state > pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1 > port = 1053 flags S/SA keep state > pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1 > port = 1053 keep state > pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 > port = imap flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 > port = smtp flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 > port = submission flags S/SA keep state > pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 > port = imap flags S/SA keep state > pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 > port = smtp flags S/SA keep state > pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 > port = submission flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 port = > 9000 flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 port = > 9000 flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 port = > 9000 flags S/SA keep state > pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 port = > 9001 flags S/SA keep state > pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 port = > 8090 flags S/SA keep state > pass out quick on bce0 inet proto udp from any to any port = domain keep > state > pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state > pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp flags > S/SA keep state > pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 flags > S/SA keep state > >