From owner-freebsd-questions@freebsd.org Mon Feb 29 18:56:38 2016 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D914AB89DE for <freebsd-questions@mailman.ysv.freebsd.org>; Mon, 29 Feb 2016 18:56:38 +0000 (UTC) (envelope-from sergeig.public@gmail.com) Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 54BD31578 for <freebsd-questions@freebsd.org>; Mon, 29 Feb 2016 18:56:38 +0000 (UTC) (envelope-from sergeig.public@gmail.com) Received: by mail-vk0-x234.google.com with SMTP id e185so143691491vkb.1 for <freebsd-questions@freebsd.org>; Mon, 29 Feb 2016 10:56:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=vQHwWKvR6selEcLte+xnASWFkhQ4l/rXLr9Msd/KjyQ=; b=J83VGo1emSbvm3M77Xlof22vYwW9JhH4Me9gqaV+ODG4maRM3ermRP2fF6t04fqMAu s2QZNnI0AC/QoKIqQgs+35pxiPt6NFQyJ6Z3CXuQaSrqRy3oRTQZc9Q4pdXLkgzMcKBO x1Wu9ru2mRPwBjLkPKhmpYvXHt9UYaKgL255yZ+A/0YtHTfhsbzxiQoUDcZM5OmYa5b2 k3tzLEKDmCFty+eolsjUHXPtpsXBamLkUbe8Whga7SEcvySgNd507HrKFQ7gPyMzy9lj 2yD+38Tpt7T/knCQo5PxBq188tWkCJcipVenWC/4y4pCLRugdXqZMWdFyhQc7qdUbiT5 nBOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=vQHwWKvR6selEcLte+xnASWFkhQ4l/rXLr9Msd/KjyQ=; b=a1dVWp3CmpzBC1HkAQXVLJqYXl7Cm3ZYe9JWCzo3nzgWHd3/3/TOMsNpc++k9P/gEm tMIkkbOr2Neq0dCCbuAqIqU2xdzz2Xve0qnwdufQFcKFaF8DZXJ6ky0oH6eXd+XaQW5Q bzIc3Lp1k45PGAeb4dbX6ZIWyaV3EnVMBsGI1Kgd6eF7MLjWEZqnMMH8hUtzBhJasaHM u497+6lG6eevgG54F55vl4Z5Gi4iP/yeLbmIR11tJYXNlrVvEHf2o5SijkU2kkU+Q9ui f4Q25b1Xg3IsRfxY44qB5TOdKqvEJZoimSQDh85KCk8tlRO0sNXEaa2cuGvXWISu1MnK NBLA== X-Gm-Message-State: AD7BkJIED6CMw9wO1Rxfj1rcEmSYQM2d7EAkGMysUyeNNzNv3F4arvwcB+5jAYHgr0VlwUWEcuPQqzt2riTSsg== MIME-Version: 1.0 X-Received: by 10.31.135.79 with SMTP id j76mr11051763vkd.91.1456772197371; Mon, 29 Feb 2016 10:56:37 -0800 (PST) Received: by 10.31.174.132 with HTTP; Mon, 29 Feb 2016 10:56:37 -0800 (PST) In-Reply-To: <CAFLLzCNy0LPv4pHEnqrzohiF5TP8gMiviZ-UeXRPrc2jDKcr4A@mail.gmail.com> References: <CAFLLzCMntj4X2vLWd1VG=heE5S5sNVFsiSPNqyc8MAwPiWbMOw@mail.gmail.com> <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com> <56D48F62.9060804@gmail.com> <CAFLLzCNy0LPv4pHEnqrzohiF5TP8gMiviZ-UeXRPrc2jDKcr4A@mail.gmail.com> Date: Mon, 29 Feb 2016 10:56:37 -0800 Message-ID: <CAFLLzCOh074fcuDCKW2x=J3DJaH5Bp2g_Wh-c6ngWY7jjwib7Q@mail.gmail.com> Subject: Re: DNS with host works, but not with mysql or ping From: Sergei G <sergeig.public@gmail.com> To: Michael Beasley <youvegotmoxie@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 29 Feb 2016 18:56:38 -0000 I have no dig inside jail, but drill works and reports from 10.0.1.10 (local_unbind server): drill yahoo.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25675 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1034 IN A 98.139.183.24 yahoo.com. 1034 IN A 98.138.253.109 yahoo.com. 1034 IN A 206.190.36.45 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; SERVER: 10.0.1.10 ;; WHEN: Mon Feb 29 18:57:16 2016 ;; MSG SIZE rcvd: 75 On Mon, Feb 29, 2016 at 10:52 AM, Sergei G <sergeig.public@gmail.com> wrote: > Thank you. > > I did find that host was not passing output http, because I was missing a > statement. > > so, I am now to just properly configuring DNS. > > On Mon, Feb 29, 2016 at 10:35 AM, Michael Beasley <youvegotmoxie@gmail.com > > wrote: > >> >> >> On 02/29/2016 01:10 PM, Sergei G wrote: >> >>> It appears that host is suffering from the same problem: >>> >>> host yahoo.com >>> yahoo.com has address 206.190.36.45 >>> yahoo.com has address 98.138.253.109 >>> yahoo.com has address 98.139.183.24 >>> yahoo.com has IPv6 address 2001:4998:44:204::a7 >>> yahoo.com has IPv6 address 2001:4998:58:c02::a9 >>> yahoo.com has IPv6 address 2001:4998:c:a06::2:4008 >>> yahoo.com mail is handled by 1 mta7.am0.yahoodns.net. >>> yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. >>> yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. >>> >>> >>> fetch http://206.190.36.45 (yahoo) >>> times out >>> >>> >>> On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public@gmail.com> >>> wrote: >>> >>> If I use host command to resolve name to IP, then I get a correct IP. >>>> >>>> If I use ping, mysql, fetch commands, then DNS fails to resolve. I >>>> can't >>>> quite figure out what the difference is. >>>> >>>> Jailed machine configuration: >>>> >>>> 1) issue is inside jailed system >>>> 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10 >>>> >>>> Host machine: >>>> 1) runs firewall >>>> 2) runs local_unbind on all 53 ports >>>> 3) runs nsd for private network on 1053 port. >>>> >>>> I am quite confused ATM. >>>> >>>> pfctl -sr Output on the host: >>>> >>>> No ALTQ support in kernel >>>> ALTQ related functions disabled >>>> scrub in all fragment reassemble >>>> block drop in log on bce0 all >>>> block return in log on bce0 proto tcp from any to any port = ssh >>>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any >>>> port >>>> = mdns >>>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any >>>> port >>>> = 17500 >>>> block drop in log (to pflog1) quick on bce0 proto udp from any to any >>>> port >>>> = mdns >>>> block drop in log (to pflog1) quick on bce0 proto udp from any to any >>>> port >>>> = 17500 >>>> block drop in quick on bce0 proto udp from any to any port = netbios-ns >>>> block drop in quick on bce0 proto udp from any to any port = netbios-dgm >>>> block drop in quick on bce0 proto udp from any to any port = 1900 >>>> block drop in quick on bce0 proto udp from any to any port = sunrpc >>>> block drop in quick on bce0 proto tcp from any to any port = >>>> commplex-main >>>> block drop in log (to pflog1) quick on bce0 proto igmp all >>>> block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc to >>>> any port = bootps >>>> pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any >>>> port = bootpc keep state >>>> pass out quick on bce0 inet proto udp from any port = bootpc to 10.0.1.1 >>>> port = bootps keep state >>>> block drop in log (to pflog1) quick on bce0 inet6 all >>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>> port = >>>> domain flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>> port = >>>> ssh flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10 >>>> port = domain flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http >>>> flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https >>>> flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth >>>> flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 port >>>> = >>>> ssh flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to >>>> 10.0.1.10 flags S/SA keep state >>>> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>> port = >>>> domain keep state >>>> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10 >>>> port = domain keep state >>>> pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10 >>>> icmp-type echoreq keep state >>>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>> port = domain flags S/SA keep state >>>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>> port = 1053 flags S/SA keep state >>>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>> port = domain keep state >>>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>> port = 1053 keep state >>>> pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1 >>>> port = 1053 flags S/SA keep state >>>> pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1 >>>> port = 1053 keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>> port = imap flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>> port = smtp flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>> port = submission flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>> 192.168.3.17 >>>> port = imap flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>> 192.168.3.17 >>>> port = smtp flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>> 192.168.3.17 >>>> port = submission flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 >>>> port = >>>> 9000 flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 >>>> port = >>>> 9000 flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 >>>> port = >>>> 9000 flags S/SA keep state >>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 >>>> port = >>>> 9001 flags S/SA keep state >>>> pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 port >>>> = >>>> 8090 flags S/SA keep state >>>> pass out quick on bce0 inet proto udp from any to any port = domain keep >>>> state >>>> pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state >>>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp flags >>>> S/SA keep state >>>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 >>>> flags >>>> S/SA keep state >>>> >>>> >>>> Do you encounter the same issue when you specify an external resolver? >> What happens if you dig the domain from within the jailed environment? >> >> dig yahoo.com +trace >> dig yahoo.com +trace @8.8.8.8 >> >> -Mike B. >> >> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > >