IPv6 only Jails cannot connect to the outside world

Niklaas Baudet von Gersdorff niklaas at kulturflatrate.net
Mon Oct 5 10:30:15 UTC 2015 

On 05/10/15 02:54, Jon Radel wrote:
> On 10/4/15 7:15 PM, Adam Vande More wrote:
>> You haven't demonstrated IPv6 doesn't work.  You've only demonstrated
>> name
>> resolution on an IPv6 jail doesn't work.

OK. I can make a DNS lookup but get the same error message as in my
original mail:

> root at ipv6only:~ # drill google.com AAAA
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61714
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
> ;; QUESTION SECTION:
> ;; google.com.  IN      AAAA
> 
> ;; ANSWER SECTION:
> google.com.     139     IN      AAAA    2a00:1450:4001:801::1006
> 
> ;; AUTHORITY SECTION:
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 0 msec
> ;; SERVER: 2a01:4f8:0:a111::add:9898
> ;; WHEN: Mon Oct  5 07:34:06 2015
> ;; MSG SIZE  rcvd: 56
> root at ipv6only:~ # telnet google.com 80
> google.com: hostname nor servname provided, or not known

But, you're right, my IPv6 connectivity actually works:

> root at ipv6only:~ # telnet -6 2a00:1450:4001:801::1006 80
> Trying 2a00:1450:4001:801::1006...
> Connected to 2a00:1450:4001:801::1006.
> Escape character is '^]'

Now to the /etc/resolv.conf as mentioned by Jon:

> To expand on Adam's observation, I use an IPv6-only (well it does have
> an IPv4 loopback address) jail on an otherwise dual-stacked machine,
> using ezjail and it works fine.  Of course
> 
> root at mns:~ # cat /etc/resolv.conf
> search radel.com
> nameserver 2001:4830:1707:5237::10:1
> nameserver 2001:470:880a:5237::7:1
> options edns0 timeout:1
> root at mns:~ #

My resolv.conf in every jail:

> root at ipv6only:~ # cat /etc/resolv.conf
> search financecomm.com
> nameserver 213.133.98.98
> nameserver 213.133.99.99
> nameserver 213.133.100.100
> nameserver 2a01:4f8:0:a0a1::add:1010
> nameserver 2a01:4f8:0:a102::add:9999
> nameserver 2a01:4f8:0:a111::add:9898

So, as you can see, I also have IPv4 and IPv6 nameservers in my resolv.conf.

> I don't bother mentioning ipv4 resolvers in resolv.conf, but the end
> result is that the test you were trying works fine:
> 
> root at mns:~ # telnet google.com 80
> Trying 2607:f8b0:4004:807::1006...
> Connected to google.com.
> Escape character is '^]'.
> blort
> HTTP/1.0 400 Bad Request
> <snip>

As in my original email, the above test I cannot confirm.

Mentioning /etc/resolv.conf made me trying something else: I removed the
IPv4 nameservers in it:

> root at ipv6only:~ # cat /etc/resolv.conf
> search financecomm.com
> nameserver 2a01:4f8:0:a0a1::add:1010
> nameserver 2a01:4f8:0:a102::add:9999
> nameserver 2a01:4f8:0:a111::add:9898

And now my test works:

> root at ipv6only:~ # telnet google.com 80
> Trying 2a00:1450:4001:80d::100e...
> Connected to google.com.
> Escape character is '^]'

Thus it seems that, in an IPv6 only jail, I may not list IPv4
nameservers in /etc/resolv.conf because otherwise I get the weird error
that it cannot resolve the hostname although it actually can? Is that
intended?

Probably I'm missing something.

-- 
Niklaas

More information about the freebsd-questions mailing list