Date: Mon, 29 Feb 2016 13:35:14 -0500 From: Michael Beasley <youvegotmoxie@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: DNS with host works, but not with mysql or ping Message-ID: <56D48F62.9060804@gmail.com> In-Reply-To: <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com> References: <CAFLLzCMntj4X2vLWd1VG=heE5S5sNVFsiSPNqyc8MAwPiWbMOw@mail.gmail.com> <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/29/2016 01:10 PM, Sergei G wrote: > It appears that host is suffering from the same problem: > > host yahoo.com > yahoo.com has address 206.190.36.45 > yahoo.com has address 98.138.253.109 > yahoo.com has address 98.139.183.24 > yahoo.com has IPv6 address 2001:4998:44:204::a7 > yahoo.com has IPv6 address 2001:4998:58:c02::a9 > yahoo.com has IPv6 address 2001:4998:c:a06::2:4008 > yahoo.com mail is handled by 1 mta7.am0.yahoodns.net. > yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. > yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. > > > fetch http://206.190.36.45 (yahoo) > times out > > > On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public@gmail.com> wrote: > >> If I use host command to resolve name to IP, then I get a correct IP. >> >> If I use ping, mysql, fetch commands, then DNS fails to resolve. I can't >> quite figure out what the difference is. >> >> Jailed machine configuration: >> >> 1) issue is inside jailed system >> 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10 >> >> Host machine: >> 1) runs firewall >> 2) runs local_unbind on all 53 ports >> 3) runs nsd for private network on 1053 port. >> >> I am quite confused ATM. >> >> pfctl -sr Output on the host: >> >> No ALTQ support in kernel >> ALTQ related functions disabled >> scrub in all fragment reassemble >> block drop in log on bce0 all >> block return in log on bce0 proto tcp from any to any port = ssh >> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port >> = mdns >> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port >> = 17500 >> block drop in log (to pflog1) quick on bce0 proto udp from any to any port >> = mdns >> block drop in log (to pflog1) quick on bce0 proto udp from any to any port >> = 17500 >> block drop in quick on bce0 proto udp from any to any port = netbios-ns >> block drop in quick on bce0 proto udp from any to any port = netbios-dgm >> block drop in quick on bce0 proto udp from any to any port = 1900 >> block drop in quick on bce0 proto udp from any to any port = sunrpc >> block drop in quick on bce0 proto tcp from any to any port = commplex-main >> block drop in log (to pflog1) quick on bce0 proto igmp all >> block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc to >> any port = bootps >> pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any >> port = bootpc keep state >> pass out quick on bce0 inet proto udp from any port = bootpc to 10.0.1.1 >> port = bootps keep state >> block drop in log (to pflog1) quick on bce0 inet6 all >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = >> domain flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port = >> ssh flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10 >> port = domain flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth >> flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 port = >> ssh flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to >> 10.0.1.10 flags S/SA keep state >> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port = >> domain keep state >> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10 >> port = domain keep state >> pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10 >> icmp-type echoreq keep state >> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >> port = domain flags S/SA keep state >> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 >> port = 1053 flags S/SA keep state >> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >> port = domain keep state >> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 >> port = 1053 keep state >> pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1 >> port = 1053 flags S/SA keep state >> pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1 >> port = 1053 keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = imap flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = smtp flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17 >> port = submission flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = imap flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = smtp flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17 >> port = submission flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 port = >> 9000 flags S/SA keep state >> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 port = >> 9001 flags S/SA keep state >> pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 port = >> 8090 flags S/SA keep state >> pass out quick on bce0 inet proto udp from any to any port = domain keep >> state >> pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state >> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp flags >> S/SA keep state >> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 flags >> S/SA keep state >> >> Do you encounter the same issue when you specify an external resolver? What happens if you dig the domain from within the jailed environment? dig yahoo.com +trace dig yahoo.com +trace @8.8.8.8 -Mike B. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56D48F62.9060804>