From owner-freebsd-questions@freebsd.org Mon Feb 29 18:35:28 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D518EAB804E for ; Mon, 29 Feb 2016 18:35:28 +0000 (UTC) (envelope-from youvegotmoxie@gmail.com) Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC9EB80A for ; Mon, 29 Feb 2016 18:35:28 +0000 (UTC) (envelope-from youvegotmoxie@gmail.com) Received: by mail-pf0-x230.google.com with SMTP id 124so34945526pfg.0 for ; Mon, 29 Feb 2016 10:35:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=AGdTtvCVd+zKZMIWvUz0wp4qu2as5Z88wvPlI2xOooY=; b=HzRfhrV7CfdfmRy8uqBHyKZpjXjSZCvxND9rbD5XdoQm1mIjAupSegvLJAm7IqJkMP UeSNvbs/DxkHXBU9t+c2JLHLva8eEbsDKWnmJsEiHVlw796zkVO3f5etOqFynkG1wXx5 FTuqoiO6h4MOufduqHCHErU0Z3VXhk28VxsQheo5GN938DBQrAWrU0Oe5X/Dya18rh/J bal6NNaz4hD5BodLHjvXV2TVgs/Xe/NRDJI7Eh7LomD3if+USE/ySbbA+OzP6/7HCAFY ht0t1mh6Stz4Pz31PKdamTQFnEtifuwVvCouiji7zmhbG5L9FgfvLhf6q+4gGRvewIj8 ktXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=AGdTtvCVd+zKZMIWvUz0wp4qu2as5Z88wvPlI2xOooY=; b=jzLH2rIHjVJhy0ouf5b49eq9ZoqkRw9EF/akpDj7yQgXkmaMP7ZCVk/BDJRoh9RARi yx8IRknsR9ZPUOH4QqAgC0H5iVtojXqPYQ1ajDDoMvWkWWyhZmZ66q6OWtYm+CoK2wOw Ij67/vLPWZMlsvOEZdPB72MOPpqmpRVEtCZhQJbtkQvzPeVevjRlYg/ir0i1wwwwVc/S DFBdymfBG7CvEnFwYU0rKPf3ql1dXwMHNodoWFNe+UurSzMcX7zmW2arnWrmLFk9tn8O Aiij7aZ6VqoUQ9euIcTfX4aM3c9M6HZKj5ZOe33JWPAsP91OtMFONYbkzL6wtJY2Pwwf zf0Q== X-Gm-Message-State: AD7BkJKYCAi1twxmEG+MUw08bpIsbTyGjbJEqSoCm2yHo6AEAHJx7U8E3YFGYMJLtp9t1w== X-Received: by 10.98.13.86 with SMTP id v83mr24263546pfi.162.1456770928126; Mon, 29 Feb 2016 10:35:28 -0800 (PST) Received: from snafu-linux.donthurt.us (75-107-195-133.cust.wildblue.net. [75.107.195.133]) by smtp.gmail.com with ESMTPSA id q16sm39687807pfi.80.2016.02.29.10.35.22 for (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Feb 2016 10:35:26 -0800 (PST) Subject: Re: DNS with host works, but not with mysql or ping To: freebsd-questions@freebsd.org References: From: Michael Beasley Message-ID: <56D48F62.9060804@gmail.com> Date: Mon, 29 Feb 2016 13:35:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 18:35:28 -0000 On 02/29/2016 01:10 PM, Sergei G wrote: > It appears that host is suffering from the same problem: > > host yahoo.com > yahoo.com has address 206.190.36.45 > yahoo.com has address 98.138.253.109 > yahoo.com has address 98.139.183.24 > yahoo.com has IPv6 address 2001:4998:44:204::a7 > yahoo.com has IPv6 address 2001:4998:58:c02::a9 > yahoo.com has IPv6 address 2001:4998:c:a06::2:4008 > yahoo.com mail is handled by 1 mta7.am0.yahoodns.net. > yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. > yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. > > > fetch http://206.190.36.45 (yahoo) > times out > > > On Mon, Feb 29, 2016 at 9:57 AM, Sergei G wrote: > >> If I use host command to resolve name to IP, then I get a correct IP. >> >> If I use ping, mysql, fetch commands, then DNS fails to resolve. I can't >> quite figure out what the difference is. >> >> Jailed machine configuration: >> >> 1) issue is inside jailed system >> 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10 >> >> Host machine: >> 1) runs firewall >> 2) runs local_unbind on all 53 ports >> 3) runs nsd for private network on 1053 port. >> >> I am quite confused ATM. >> >> pfctl -sr Output on the host: >> >> No ALTQ support in kernel >> ALTQ related functions disabled >> scrub in all fragment reassemble >> block drop in log on bce0 all >> block return in log on bce0 proto tcp from any to any port = ssh >> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port >> = mdns >> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port >> = 17500 >> block drop in log (to pflog1) quick on bce0 proto udp from any to any port >> = mdns >> block drop in log (to pflog1) quick on bce0 proto udp from any to any port >> = 17500 >> block drop in quick on bce0 proto udp from any to any port = netbios-ns >> block drop in quick on bce0 proto udp from any to any port = netbios-dgm >> block drop in quick on bce0 proto udp from any to any port = 1900 >> block drop in quick on bce0 proto udp from any to any port = sunrpc >> block drop in quick on bce0 proto tcp from any to any port = commplex-main >> block drop in log (to pflog1) quick on bce0 proto igmp all >> block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc to >> any port = bootps >> pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any >> port = bootpc keep state >> pass out quick on bce0 inet proto udp from any port = bootpc to 10.0.1.1 >> port = bootps keep state >> block drop in log (to pflog1) quick on bce0 inet6 all >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = >> domain flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = >> ssh flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10 >> port = domain flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 port = >> ssh flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to >> 10.0.1.10 flags S/SA keep state >> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port = >> domain keep state >> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10 >> port = domain keep state >> pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10 >> icmp-type echoreq keep state >> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >> port = domain flags S/SA keep state >> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >> port = 1053 flags S/SA keep state >> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >> port = domain keep state >> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >> port = 1053 keep state >> pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1 >> port = 1053 flags S/SA keep state >> pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1 >> port = 1053 keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = imap flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = smtp flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = submission flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = imap flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = smtp flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = submission flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 port = >> 9001 flags S/SA keep state >> pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 port = >> 8090 flags S/SA keep state >> pass out quick on bce0 inet proto udp from any to any port = domain keep >> state >> pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state >> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp flags >> S/SA keep state >> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 flags >> S/SA keep state >> >> Do you encounter the same issue when you specify an external resolver? What happens if you dig the domain from within the jailed environment? dig yahoo.com +trace dig yahoo.com +trace @8.8.8.8 -Mike B. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"