FreeBSD jails, dns and ping

James B. Byrne byrnejb at harte-lyne.ca
Tue Feb 6 16:18:07 UTC 2018 

On Mon, February 5, 2018 18:07, Adam Vande More wrote:
> On Mon, Feb 5, 2018 at 3:56 PM, James B. Byrne <byrnejb at harte-lyne.ca>
> wrote:
>
>>
>> On Mon, February 5, 2018 16:38, Adam Vande More wrote:
>> > On Mon, Feb 5, 2018 at 3:18 PM, James B. Byrne via
>> freebsd-questions <
>> > freebsd-questions at freebsd.org> wrote:
>> >
>> >> Can anyone explain what is causing this particular inconsistency?
>> >> Unbound can resolve the address but ping cannot?
>> >>
>> >
>> > What is inconsistent about that? Just because something has a
>> valid DNS entry doesn't imply it will respond to ping.
>>
>> What is inconsistent is that ping will not resolve the address but
>> drill will. The only nameserver defined in /etc/resolv.conf is
>> 127.0.0.1.  We never get to the point of determining if the target
>> replies to the ping.
>>
>> >
>> > Also pkg uses SRV records, it's been discussed here before.
>> >
>>
>> pkg.freebsd.org happens to be the domain that I used to test whether
>> or not ping could resolve.  I get the same results irrespective of
>> the domain used.
>>
>
> You have included an trailing . in the ping command.
>

The presence or absence of the trailing dot does not change the
behaviour.  And if it did then it would be a bug since . is the root
DNS entry. It is simply a programming convention to ignore its absence
since it must be present in all fully qualified domain names and,
outside of zone files, is effectively a constant value.

[root at hll107 ~]# ping sendmail.com
ping: cannot resolve sendmail.com: Host name lookup failure

[root at hll107 ~]# drill sendmail.com

;; ANSWER SECTION:
sendmail.com.   3235    IN      A       192.230.74.135
sendmail.com.   3235    IN      A       192.230.66.135

;; AUTHORITY SECTION:
sendmail.com.   109408  IN      NS      pdns99.ultradns.biz.
sendmail.com.   109408  IN      NS      pdns99.ultradns.org.
sendmail.com.   109408  IN      NS      ns1.proofpoint.com.
sendmail.com.   109408  IN      NS      pdns99.ultradns.net.
sendmail.com.   109408  IN      NS      ns3.proofpoint.com.
sendmail.com.   109408  IN      NS      pdns99.ultradns.com.

;; ADDITIONAL SECTION:
ns1.proofpoint.com.     103180  IN      A       208.84.67.208
ns1.proofpoint.com.     103180  IN      AAAA    2620:100:9000:1::d0
ns3.proofpoint.com.     103180  IN      A       208.84.66.208
ns3.proofpoint.com.     103180  IN      AAAA    2620:100:9004:1::d0
pdns99.ultradns.com.    103180  IN      A       156.154.64.99
pdns99.ultradns.com.    103180  IN      AAAA    2001:502:f3ff::87

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Feb  6 10:09:44 2018
;; MSG SIZE  rcvd: 370

[root at hll107 ~]#


QED

[root at inet19 ~]# ping sendmail.com
PING sendmail.com (192.230.66.135): 56 data bytes
64 bytes from 192.230.66.135: icmp_seq=0 ttl=53 time=51.918 ms

[root at inet19 ~]# ping sendmail.com.
PING sendmail.com (192.230.66.135): 56 data bytes
64 bytes from 192.230.66.135: icmp_seq=0 ttl=53 time=51.988 ms

The problem is with the jail setup.  Specifically, with
/etc/resolv.conf.  I created another jail on the same host and it did
not exhibit this problem.  I then destroyed hll107 and recreated it. 
I ran service local_unbound onestart from hll107's console which built
the default setup configuration. I then tried to ping an outside
address.  It worked..

The next step I took revealed the source of the problem but not its
cause.  We host our own delegated DNS. When I configured
/etc/resolv.conf on hll107 to this:

search hamilton.harte-lyne.ca harte-lyne.ca
nameserver 127.0.0.1

The problem returned.

If instead I configured hll107:/etc/resolv.conf to this:

search hamilton.harte-lyne.ca harte-lyne.ca
nameserver 127.0.107.1

Then ping worked on hll107.  The ip_addr 127.0.107.1 is configured on
the host system as lo2:

# Cloned i/f and assigned ipv4 addr for jails
cloned_interfaces="lo1 lo2 lo3"   # For shared jail configuration
ipv4_addrs_lo1="127.0.100.1/32"
ipv4_addrs_lo2="127.0.107.1/32"
ipv4_addrs_lo3="127.0.109.1/32"

And the jail network is configured like this:

export jail_hll107_hostname="hll107.hamilton.harte-lyne.ca"
export jail_hll107_ip="lo2|127.0.107.1,vtnet0|192.168.216.107"

Note that local_unbound worked with both resolv.conf settings.  But
both ping and pkg gave me grief with the first and worked with the
second.

My understanding, admittedly perfunctory, has been that one is
SUPPOSED to use 127.0.0.1 inside a jail wherever the standard loopback
address is required. And that the jail system takes care of remapping
127.0.0.1 to whatever address is assigned to the loopback interface
that the jail is configured to use.

What have I misunderstood?  Had I misconfigured something that is
documented otherwise than what I had done?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list