From owner-freebsd-questions@freebsd.org Fri Jul 20 14:12:51 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 514B01046E8F for ; Fri, 20 Jul 2018 14:12:51 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EBE527E394 for ; Fri, 20 Jul 2018 14:12:50 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (unknown [127.0.32.1]) by mx32.harte-lyne.ca (Postfix) with ESMTP id 16F7516D0E for ; Fri, 20 Jul 2018 10:12:50 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from mx32.harte-lyne.ca ([127.0.32.1]) by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new, port 10024) with ESMTP id VofJm4QdCoOX for ; Fri, 20 Jul 2018 10:12:47 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx32.harte-lyne.ca (Postfix) with ESMTPSA id 3F77216D03 for ; Fri, 20 Jul 2018 10:12:47 -0400 (EDT) Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Fri, 20 Jul 2018 10:12:47 -0400 Message-ID: In-Reply-To: <44eff8f3-d971-f813-727d-8ec35e31be65@nethead.se> References: <56bbc3069975ec09b4771e57d138de64.squirrel@webmail.harte-lyne.ca> <39F372AB-BCCB-4A38-A351-F0F3ECCDEA21@lists.vlassakakis.de> <44eff8f3-d971-f813-727d-8ec35e31be65@nethead.se> Date: Fri, 20 Jul 2018 10:12:47 -0400 Subject: Re: FreeBSD-11.1 Jails and SSL From: "James B. Byrne" To: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-5.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 14:12:51 -0000 On Fri, July 20, 2018 03:28, Per olof Ljungmark wrote: > On 07/19/18 22:52, James B. Byrne via freebsd-questions wrote: >> >> On Thu, July 19, 2018 16:38, Philipp Vlassakakis wrote: >>> >>>> Am 19.07.2018 um 22:29 schrieb James B. Byrne >>>> : >>>> >>>> UseDNS=YES in /etc/ssh/sshd_config >>> >>> Does the problem persists, if you disable this option? >>> >> >> No, it does not persist. Log ons are now as fast as with any other >> host. Why is UseDNS=YES (the default setting) a problem inside a >> jail and nowhere else? >> > > It is a "problem" in all setups where UseDNS=YES is defined and DNS > for the host is not configured, not only in jails. > > It could be for example your jailed hosts /etc/resolv.conf or your DNS > zone. > The 'problem' was this: # service local_unbound status local_unbound is running as pid 27026. # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca nameserver 127.0.0.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 Delay and timeouts encountered with DNS resolution. The first 'solution' was this: # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca #nameserver 127.0.0.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 No delay or timeouts with DNS resolution The second solution was this: # cat /etc/resolv.conf search hamilton.harte-lyne.ca harte-lyne.ca #nameserver 127.0.0.1 nameserver 127.0.31.1 nameserver 216.185.71.33 nameserver 216.185.71.34 options edns0 timeout:5 attempts:3 No delay or timeouts with DNS resolution Where 127.0.31.1 is the address assigned to the cloned loopback interface of the jail in question. Evidently the system resolver does not follow the jail convention that 127.0.0.1 is remapped to whatever ip-addr is assigned to the jail's lo. I seem to recall having run into this before but I had forgotten about it, if indeed my dim recollection is correct. The lesson is simple: if, on a jail, one uses a resolver configuration file that includes the localhost then one MUST make sure that the loopback address used is that actually assigned to the 'lo' interface. Postfix and amavisd have similar issues when run in jails. The 'inet_interfaces' directive in Postfix MUST use the actual addresses assigned to the loopback interface and amavisd MUST have '@inet_acl' adjusted in /usr/local/etc/amavisd.conf to allow that specific ip-addr. Thanks for the help. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3