DNS with host works, but not with mysql or ping

Michael Beasley youvegotmoxie at gmail.com
Mon Feb 29 18:35:28 UTC 2016 


On 02/29/2016 01:10 PM, Sergei G wrote:
> It appears that host is suffering from the same problem:
>
> host yahoo.com
> yahoo.com has address 206.190.36.45
> yahoo.com has address 98.138.253.109
> yahoo.com has address 98.139.183.24
> yahoo.com has IPv6 address 2001:4998:44:204::a7
> yahoo.com has IPv6 address 2001:4998:58:c02::a9
> yahoo.com has IPv6 address 2001:4998:c:a06::2:4008
> yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
>
>
> fetch  http://206.190.36.45  (yahoo)
> times out
>
>
> On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public at gmail.com> wrote:
>
>> If I use host command to resolve name to IP, then I get a correct IP.
>>
>> If I use ping, mysql, fetch commands, then DNS fails to resolve.  I can't
>> quite figure out what the difference is.
>>
>> Jailed machine configuration:
>>
>> 1) issue is inside jailed system
>> 2) /etc/resolv.conf points to host's machine with nameserver 10.0.1.10
>>
>> Host machine:
>> 1) runs firewall
>> 2) runs local_unbind on all 53 ports
>> 3) runs nsd for private network on 1053 port.
>>
>> I am quite confused ATM.
>>
>> pfctl -sr   Output on the host:
>>
>> No ALTQ support in kernel
>> ALTQ related functions disabled
>> scrub in all fragment reassemble
>> block drop in log on bce0 all
>> block return in log on bce0 proto tcp from any to any port = ssh
>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port
>> = mdns
>> block drop in log (to pflog1) quick on bce0 proto tcp from any to any port
>> = 17500
>> block drop in log (to pflog1) quick on bce0 proto udp from any to any port
>> = mdns
>> block drop in log (to pflog1) quick on bce0 proto udp from any to any port
>> = 17500
>> block drop in quick on bce0 proto udp from any to any port = netbios-ns
>> block drop in quick on bce0 proto udp from any to any port = netbios-dgm
>> block drop in quick on bce0 proto udp from any to any port = 1900
>> block drop in quick on bce0 proto udp from any to any port = sunrpc
>> block drop in quick on bce0 proto tcp from any to any port = commplex-main
>> block drop in log (to pflog1) quick on bce0 proto igmp all
>> block drop in quick on bce0 inet proto udp from 0.0.0.0 port = bootpc to
>> any port = bootps
>> pass in quick on bce0 inet proto udp from 10.0.1.1 port = bootps to any
>> port = bootpc keep state
>> pass out quick on bce0 inet proto udp from any port = bootpc to 10.0.1.1
>> port = bootps keep state
>> block drop in log (to pflog1) quick on bce0 inet6 all
>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port =
>> domain flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10 port =
>> ssh flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 10.0.1.10
>> port = domain flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = http
>> flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = https
>> flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from any to 10.0.1.10 port = auth
>> flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 198.182.9.1 to 10.0.1.10 port =
>> ssh flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.101 port = 8090 to
>> 10.0.1.10 flags S/SA keep state
>> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port =
>> domain keep state
>> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10
>> port = domain keep state
>> pass in quick on bce0 inet proto icmp from 10.0.1.0/24 to 10.0.1.10
>> icmp-type echoreq keep state
>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10
>> port = domain flags S/SA keep state
>> pass in log quick on bce0 inet proto tcp from 10.0.1.0/24 to 10.0.1.10
>> port = 1053 flags S/SA keep state
>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10
>> port = domain keep state
>> pass in log quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10
>> port = 1053 keep state
>> pass in log quick on lo0 inet proto tcp from 10.0.1.0/24 to 127.0.0.1
>> port = 1053 flags S/SA keep state
>> pass in log quick on lo0 inet proto udp from 10.0.1.0/24 to 127.0.0.1
>> port = 1053 keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17
>> port = imap flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17
>> port = smtp flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.0/24 to 192.168.3.17
>> port = submission flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17
>> port = imap flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17
>> port = smtp flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 192.168.3.0/24 to 192.168.3.17
>> port = submission flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.11 port =
>> 9000 flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.15 port =
>> 9000 flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.22 port =
>> 9000 flags S/SA keep state
>> pass in quick on bce0 inet proto tcp from 10.0.1.10 to 192.168.3.13 port =
>> 9001 flags S/SA keep state
>> pass out quick on bce0 inet proto tcp from 10.0.1.10 to 10.0.1.101 port =
>> 8090 flags S/SA keep state
>> pass out quick on bce0 inet proto udp from any to any port = domain keep
>> state
>> pass out quick on bce0 inet proto icmp all icmp-type echoreq keep state
>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port = ftp flags
>> S/SA keep state
>> pass in on bce0 inet proto tcp from 10.0.1.0/24 to any port > 49151 flags
>> S/SA keep state
>>
>>
Do you encounter the same issue when you specify an external resolver?  
What happens if you dig the domain from within the jailed environment?

dig yahoo.com +trace
dig yahoo.com +trace @8.8.8.8

-Mike B.

> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list