Date: Tue, 1 Mar 2016 09:46:42 -0800 From: Sergei G <sergeig.public@gmail.com> To: Michael Beasley <youvegotmoxie@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: DNS with host works, but not with mysql or ping Message-ID: <CAFLLzCPbfgB16meCZ-7HHucWXJJWiuua-OG=CtPE93tcEH72LA@mail.gmail.com> In-Reply-To: <CAFLLzCOh074fcuDCKW2x=J3DJaH5Bp2g_Wh-c6ngWY7jjwib7Q@mail.gmail.com> References: <CAFLLzCMntj4X2vLWd1VG=heE5S5sNVFsiSPNqyc8MAwPiWbMOw@mail.gmail.com> <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com> <56D48F62.9060804@gmail.com> <CAFLLzCNy0LPv4pHEnqrzohiF5TP8gMiviZ-UeXRPrc2jDKcr4A@mail.gmail.com> <CAFLLzCOh074fcuDCKW2x=J3DJaH5Bp2g_Wh-c6ngWY7jjwib7Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is what I was able to collect after multiple experiments with: fetch http://yahoo.com from jail: * I don't see jail's IP in tcpdump no matter what. * I see traffic from local_unbound server to external DNS and responses. So, I know my jail's request goes through, but response is not coming through. * Even when I switched to default rule to pass traffic it did not work. * Switching to external DNS server in jail's /etc/resolv.conf makes fetch to work. I'd like to use my host's DNS as I have a private names to resolve. Am I running into some jail network restrictions in here? Jail's host DNS works, DNS of every machine on LAN has no problem (they are set to use 10.0.1.10 DNS server and I see traffic in logs). Command "host" from jail works: host yahoo.com (ok) host yahoo.com 10.0.1.10 (ok), but no other command can resolve the same name (fetch, ping). I am focused on fetch, because I use pkg inside jail. I'd like to keep using internal DNS instead of Comcast's DNS, because I'd like to be able to resolve internal names. My setup is running unbound on :53 of the host machine and nsd on port 1053 for private network. Local DNS forwards private zone requests to NSD. ***I don't currently have NSD configured for reverse DNS. Could that be an issue? I don't see how, because I am requesting external names*** Thank you On Mon, Feb 29, 2016 at 10:56 AM, Sergei G <sergeig.public@gmail.com> wrote: > I have no dig inside jail, but drill works and reports from 10.0.1.10 > (local_unbind server): > > drill yahoo.com > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25675 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; yahoo.com. IN A > > ;; ANSWER SECTION: > yahoo.com. 1034 IN A 98.139.183.24 > yahoo.com. 1034 IN A 98.138.253.109 > yahoo.com. 1034 IN A 206.190.36.45 > > ;; AUTHORITY SECTION: > > ;; ADDITIONAL SECTION: > > ;; Query time: 0 msec > ;; SERVER: 10.0.1.10 > ;; WHEN: Mon Feb 29 18:57:16 2016 > ;; MSG SIZE rcvd: 75 > > > On Mon, Feb 29, 2016 at 10:52 AM, Sergei G <sergeig.public@gmail.com> > wrote: > >> Thank you. >> >> I did find that host was not passing output http, because I was missing a >> statement. >> >> so, I am now to just properly configuring DNS. >> >> On Mon, Feb 29, 2016 at 10:35 AM, Michael Beasley < >> youvegotmoxie@gmail.com> wrote: >> >>> >>> >>> On 02/29/2016 01:10 PM, Sergei G wrote: >>> >>>> It appears that host is suffering from the same problem: >>>> >>>> host yahoo.com >>>> yahoo.com has address 206.190.36.45 >>>> yahoo.com has address 98.138.253.109 >>>> yahoo.com has address 98.139.183.24 >>>> yahoo.com has IPv6 address 2001:4998:44:204::a7 >>>> yahoo.com has IPv6 address 2001:4998:58:c02::a9 >>>> yahoo.com has IPv6 address 2001:4998:c:a06::2:4008 >>>> yahoo.com mail is handled by 1 mta7.am0.yahoodns.net. >>>> yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. >>>> yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. >>>> >>>> >>>> fetch http://206.190.36.45 (yahoo) >>>> times out >>>> >>>> >>>> On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public@gmail.com> >>>> wrote: >>>> >>>> If I use host command to resolve name to IP, then I get a correct IP. >>>>> >>>>> If I use ping, mysql, fetch commands, then DNS fails to resolve. I >>>>> can't >>>>> quite figure out what the difference is. >>>>> >>>>> Jailed machine configuration: >>>>> >>>>> 1) issue is inside jailed system >>>>> 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10 >>>>> >>>>> Host machine: >>>>> 1) runs firewall >>>>> 2) runs local_unbind on all 53 ports >>>>> 3) runs nsd for private network on 1053 port. >>>>> >>>>> I am quite confused ATM. >>>>> >>>>> pfctl -sr Output on the host: >>>>> >>>>> No ALTQ support in kernel >>>>> ALTQ related functions disabled >>>>> scrub in all fragment reassemble >>>>> block drop in log on bce0 all >>>>> block return in log on bce0 proto tcp from any to any port = ssh >>>>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any >>>>> port >>>>> = mdns >>>>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any >>>>> port >>>>> = 17500 >>>>> block drop in log (to pflog1) quick on bce0 proto udp from any to any >>>>> port >>>>> = mdns >>>>> block drop in log (to pflog1) quick on bce0 proto udp from any to any >>>>> port >>>>> = 17500 >>>>> block drop in quick on bce0 proto udp from any to any port = netbios-ns >>>>> block drop in quick on bce0 proto udp from any to any port = >>>>> netbios-dgm >>>>> block drop in quick on bce0 proto udp from any to any port = 1900 >>>>> block drop in quick on bce0 proto udp from any to any port = sunrpc >>>>> block drop in quick on bce0 proto tcp from any to any port = >>>>> commplex-main >>>>> block drop in log (to pflog1) quick on bce0 proto igmp all >>>>> block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc >>>>> to >>>>> any port = bootps >>>>> pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any >>>>> port = bootpc keep state >>>>> pass out quick on bce0 inet proto udp from any port = bootpc to >>>>> 10.0.1.1 >>>>> port = bootps keep state >>>>> block drop in log (to pflog1) quick on bce0 inet6 all >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = >>>>> domain flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = >>>>> ssh flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10 >>>>> port = domain flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http >>>>> flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https >>>>> flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth >>>>> flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 >>>>> port = >>>>> ssh flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to >>>>> 10.0.1.10 flags S/SA keep state >>>>> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = >>>>> domain keep state >>>>> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10 >>>>> port = domain keep state >>>>> pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10 >>>>> icmp-type echoreq keep state >>>>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = domain flags S/SA keep state >>>>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = 1053 flags S/SA keep state >>>>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = domain keep state >>>>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >>>>> port = 1053 keep state >>>>> pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1 >>>>> port = 1053 flags S/SA keep state >>>>> pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1 >>>>> port = 1053 keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>>> port = imap flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>>> port = smtp flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >>>>> port = submission flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>>> 192.168.3.17 >>>>> port = imap flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>>> 192.168.3.17 >>>>> port = smtp flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to >>>>> 192.168.3.17 >>>>> port = submission flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 >>>>> port = >>>>> 9000 flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 >>>>> port = >>>>> 9000 flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 >>>>> port = >>>>> 9000 flags S/SA keep state >>>>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 >>>>> port = >>>>> 9001 flags S/SA keep state >>>>> pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 >>>>> port = >>>>> 8090 flags S/SA keep state >>>>> pass out quick on bce0 inet proto udp from any to any port = domain >>>>> keep >>>>> state >>>>> pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state >>>>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp >>>>> flags >>>>> S/SA keep state >>>>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 >>>>> flags >>>>> S/SA keep state >>>>> >>>>> >>>>> Do you encounter the same issue when you specify an external >>> resolver? What happens if you dig the domain from within the jailed >>> environment? >>> >>> dig yahoo.com +trace >>> dig yahoo.com +trace @8.8.8.8 >>> >>> -Mike B. >>> >>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to " >>>> freebsd-questions-unsubscribe@freebsd.org" >>>> >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFLLzCPbfgB16meCZ-7HHucWXJJWiuua-OG=CtPE93tcEH72LA>