From owner-freebsd-jail@FreeBSD.ORG Sat Feb 14 22:40:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F1E21065672 for ; Sat, 14 Feb 2009 22:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id CF9F38FC26 for ; Sat, 14 Feb 2009 22:40:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 04B0D41C6A1; Sat, 14 Feb 2009 23:40:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id MtcpBzJMmO0U; Sat, 14 Feb 2009 23:40:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 1CC0141C67B; Sat, 14 Feb 2009 23:40:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id C4ACB4448E6; Sat, 14 Feb 2009 22:38:57 +0000 (UTC) Date: Sat, 14 Feb 2009 22:38:57 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Anders Hagman In-Reply-To: <499733EC.3040706@netplex.se> Message-ID: <20090214221759.L53478@maildrop.int.zabbadoz.net> References: <499733EC.3040706@netplex.se> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: BIND in jail problem X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 22:40:08 -0000 On Sat, 14 Feb 2009, Anders Hagman wrote: Hi, I am inclined to say that something is not right with your setup and I am not able to reproduce any of the symptoms on 7-STABLE pre-jail-MFC but that's not going to help. Those named inside jail things come up regularly and either end without any results as people stop to reply or a pilot error quickly identified. It might be hard to resolve the problem in mail or might need lots of mails so I'd suggest to take your reply off-list, and we'll post a summary with the results once things are solved. > I'm trying to use BIND inside a jail and have passed the chroot > problem and have a running named without chroot. what does netstat -an | grep '\.53' say inside your jail? > The problem is that the jail does not have the address 127.0.0.1 or does not that's becoming a FAQ and later jail2 man pages say: :: All connections to/from the loopback address (127.0.0.1 for IPv4, ::1 :: for IPv6) will be changed to be to/from the primary address of the jail :: for the given address family. so for your jail (I assume a stock 7.1-RELEASE) ignore the IPv6 part and the "primary" part as there is only one IP (which is the primary IP in that case). > use the info in resolv.conf. > > When I use the host command I get: > > [root@ippbx1 ~]# host ippbx1 > ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 > > /etc/resolv.conf > domain kalmar.se > search kalmar.se man resolv.conf says: :: The domain and search keywords are mutually exclusive. If more than one :: instance of these keywords is present, the last instance will override. so you can remove the domain line. > nameserver 127.0.0.1 > > tcpdump: > 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. > (24) > > 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail > 0/0/0 (24 This looks fine from the IP point of view as if 172.16.101.3 is our jail IP is correct. > As you can see the destination address is 172.16.101.3 despite the name > server address in resolv.conf. The host command does not add the domain as it > should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". > The host command expects to get an answer from 127.0.0.1. I am not yet sure where this comes from but if that's really a problem change it to nameserver 172.16.101.3 as this is what it is effectively anyway. > Changing the nameserver address in resolv.conf to 172.16.101.3 does not > change anything. Using the FQDN does not help because it's still the wrong > expected address. Now that does not make any sense. You changed the IP but it still reporting the "reply from unexpected source: ... expected .."? > The only thing that works is: host ippbx1.kalmar.se > 172.16.101.3. > > Using ping give a different picture: You enabled raw sockets for jails? > [root@ippbx1 ~]# ping ippbx1 > ping: cannot resolve ippbx1: Host name lookup failure > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 172.16.101.3 > > > tcpdump: > 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto > UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? > ippbx1.kalmar.se. (34) > 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto > ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53 > unreachable, length 36 > > > ping does add the domain to the query but does not read the address from > resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 > machine and does not run BIND. I start wondering if you are editing the correct resolve.conf inside the correct jail and run your commands inside the same jail? /bz -- Bjoern A. Zeeb The greatest risk is not taking one.