misc/74314: DNS resolver broken under certain jail conditions

Juan Pablo Villa juan at datafull.com
Tue Nov 23 22:50:22 PST 2004 

>Number:         74314
>Category:       misc
>Synopsis:       DNS resolver broken under certain jail conditions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 24 06:50:21 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Juan Pablo Villa
>Release:        4.9-RELEASE-p13
>Organization:
Datafull.com
>Environment:
FreeBSD XXXXXX.datafull.com 4.9-RELEASE-p13 FreeBSD 4.9-RELEASE-p13 #0: Sat Nov 20 22:57:03 ART 2004     root@:/usr/obj/usr/src/sys/GENERIC  i386

Also tested this with 4.10-RELEASE, 4.9-RELEASE, and 4.10-STABLE this one built on Nov 19 2004 (approx.). I've enjoyed my weekend rebuilding world like crazy, looking to avoid this bug without any results.
>Description:
When creating new jails for mi internal network, I hit the following:

I have 2 ethernet interfaces, lets say dc0 and dc1.
dc0 has an ip public address, connected to the internet thru a default gw
dc1 has a private ip address (i.e. 10.3.2.102)

If I start the jail env with an aliased ip from dc0, everything works ok, just as usual.
However, using aliases from dc1, things are a little bit different, because the resolver seems broken from inside the jail. 
Netcat and UDP traffic in general to host/outside seems ok in both ways, but DNS lookups don't work anymore.

Dig lookups from inside the jail result in the following:

#dig freebsd.org

; <<>> DiG 8.3 <<>> freebsd.org
;; res options: init recurs defnam dnsrch
;; res_nsend: Operation timed out

or a similar res_nsend error. 

Looking on the internet, a similar case is described on: http://archive.pilgerer.org/mharc/html/freebsd-questions/2004-04/msg02948.html

I guess that using jail aliases within the same net as the default gw works, and the rest of aliases don't (the rest don't have a default gw on the same net, of course). Just guessing.
>How-To-Repeat:
1) Create a jail env, as explained on jail(8)
2) Create an alias on dc1 for the jail (i.e. ifconfig dc1 -alias 10.3.2.11 netmask 255.255.255.255). dc1 must not be your main interface
3) Copy a working /etc/resolv.conf from host to jail
4) Initialize jail with that previous ip alias (i.e. jail /usr/jail/ jail.datafull.com 10.3.2.11 /bin/sh)
5) dig freebsd.org
6) nc -u YOUR_DNS.com 53

>Fix:
Just guessing here: If normal UDP traffic is possible (as shown by netcat), then a temporary workaround would be to install a recursive dns like dnscache (on host, or could be on the jail too). Haven't tried yet.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list