kern/103464: jail networking failures to only

Matt Simerson matt at
Thu Sep 21 17:40:25 PDT 2006

>Number:         103464
>Category:       kern
>Synopsis:       jail networking failures to only
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 22 00:40:21 GMT 2006
>Originator:     Matt Simerson
>Release:        FreeBSD 6.1-RELEASE-p6
FreeBSD jail11 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #1: Sun Sep 17 19:00:32 CDT 2006     root at  i386
DNS requests sent from a jail to the host (which is running dnscache) fail.

   The FreeBSD host has two interfaces of concern:

        inet netmask 0xffffff00 broadcast
        inet netmask 0xffffffff broadcast
        inet netmask 0xffffffff broadcast
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet netmask 0xff000000 
        inet netmask 0xffffffff
        inet netmask 0xffffffff

I configured dnscache on and permitted all hosts on the 127 network to access it. DNS queries from host OS work perfectly as expected:

host-os# dig @
;; ANSWER SECTION:        3590    IN      A

..but queries from a jail running on, fail. 

mysql# dig @

; <<>> DiG 9.3.2 <<>> @
; (1 server found)
;; connection timed out; no servers could be reached then I tried by creating another jail on one of the 10. addresses. I get exactly the same results, no DNS queries work.

So I moved the DNS resolver from to Once listening on a 10 net address, all jails could resolve queries using it. Then, thinking it was something specific to the loopback interface, moved the resolver to, but it still works! So, the only address that causes this problem is the special 

Then, just for grins, I decided to see what was happening to the requests. is the jailed host sending the DNS request.

host-os# tcpdump -i lo0 port 53
19:29:15.021769 IP >  34780+ PTR? (41)
19:29:15.022086 IP >  34780 NXDomain* 0/0/0 (41)
19:29:19.204934 IP >  40192+ A? (33)
19:29:24.205913 IP >  40192+ A? (33)

 ...and dnscache actually gets the request

2006-09-21 19:29:15.021908500 query 9 7f000001:fb92:87dc 12
19:29:14.204174 IP >  40192+ A? (33)
2006-09-21 19:29:15.022088500 cached nxdomain
2006-09-21 19:29:15.022211500 sent 9 41

  ...but the DNS client never receives the answer. 

So, the request actually does make it from the jail to the host, but when I ran tcpdump on em0 (the interface the jail is on), there is no response going back to the jail. 
1. Install FreeBSD 6.1 - std install
2. install a DNS resolver (BIND or dnscache) on
3. create a jail on any interface, using any IP on the box
4. log into the jail and attempt to resolve DNS queries using the DNS cache on  (dig @
5. witness the failure.

6. Move the DNS cache to any other IP.
7. Witnenss it work.

Fix the code, or document the limitation.

A workaround is not to run services (perhaps only DNS?) on but on another IP, such as

More information about the freebsd-bugs mailing list