Date: Fri, 20 Jul 2018 10:12:47 -0400 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11.1 Jails and SSL Message-ID: <af7d93beff2bae7f966372313c147885.squirrel@webmail.harte-lyne.ca> In-Reply-To: <44eff8f3-d971-f813-727d-8ec35e31be65@nethead.se> References: <b09a213c9018244d79763c7d65e98e1c.squirrel@webmail.harte-lyne.ca> <A820DA67-87FA-4638-B5D4-F87D63CB22C0@lists.vlassakakis.de> <56bbc3069975ec09b4771e57d138de64.squirrel@webmail.harte-lyne.ca> <39F372AB-BCCB-4A38-A351-F0F3ECCDEA21@lists.vlassakakis.de> <f7964527d64bf8a83c51a75ced360bd0.squirrel@webmail.harte-lyne.ca> <44eff8f3-d971-f813-727d-8ec35e31be65@nethead.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, July 20, 2018 03:28, Per olof Ljungmark wrote: > On 07/19/18 22:52, James B. Byrne via freebsd-questions wrote: >> >> On Thu, July 19, 2018 16:38, Philipp Vlassakakis wrote: >>> >>>> Am 19.07.2018 um 22:29 schrieb James B. Byrne >>>> <byrnejb@harte-lyne.ca>: >>>> >>>> UseDNS=YES in /etc/ssh/sshd_config >>> >>> Does the problem persists, if you disable this option? >>> >> >> No, it does not persist. Log ons are now as fast as with any other >> host. Why is UseDNS=YES (the default setting) a problem inside a >> jail and nowhere else? >> > > It is a "problem" in all setups where UseDNS=YES is defined and DNS > for the host is not configured, not only in jails. > > It could be for example your jailed hosts /etc/resolv.conf or your DNS > zone. > The 'problem' was this: # service local_unbound status local_unbound is running as pid 27026. # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca nameserver 127.0.0.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 Delay and timeouts encountered with DNS resolution. The first 'solution' was this: # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca #nameserver 127.0.0.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 No delay or timeouts with DNS resolution The second solution was this: # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca #nameserver 127.0.0.1 nameserver 127.0.31.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 No delay or timeouts with DNS resolution Where 127.0.31.1 is the address assigned to the cloned loopback interface of the jail in question. Evidently the system resolver does not follow the jail convention that 127.0.0.1 is remapped to whatever ip-addr is assigned to the jail's lo. I seem to recall having run into this before but I had forgotten about it, if indeed my dim recollection is correct. The lesson is simple: if, on a jail, one uses a resolver configuration file that includes the localhost then one MUST make sure that the loopback address used is that actually assigned to the 'lo' interface. Postfix and amavisd have similar issues when run in jails. The 'inet_interfaces' directive in Postfix MUST use the actual addresses assigned to the loopback interface and amavisd MUST have '@inet_acl' adjusted in /usr/local/etc/amavisd.conf to allow that specific ip-addr. Thanks for the help. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?af7d93beff2bae7f966372313c147885.squirrel>