FreeBSD jails, dns and ping

James B. Byrne byrnejb at
Tue Feb 6 16:18:07 UTC 2018

On Mon, February 5, 2018 18:07, Adam Vande More wrote:
> On Mon, Feb 5, 2018 at 3:56 PM, James B. Byrne <byrnejb at>
> wrote:
>> On Mon, February 5, 2018 16:38, Adam Vande More wrote:
>> > On Mon, Feb 5, 2018 at 3:18 PM, James B. Byrne via
>> freebsd-questions <
>> > freebsd-questions at> wrote:
>> >
>> >> Can anyone explain what is causing this particular inconsistency?
>> >> Unbound can resolve the address but ping cannot?
>> >>
>> >
>> > What is inconsistent about that? Just because something has a
>> valid DNS entry doesn't imply it will respond to ping.
>> What is inconsistent is that ping will not resolve the address but
>> drill will. The only nameserver defined in /etc/resolv.conf is
>>  We never get to the point of determining if the target
>> replies to the ping.
>> >
>> > Also pkg uses SRV records, it's been discussed here before.
>> >
>> happens to be the domain that I used to test whether
>> or not ping could resolve.  I get the same results irrespective of
>> the domain used.
> You have included an trailing . in the ping command.

The presence or absence of the trailing dot does not change the
behaviour.  And if it did then it would be a bug since . is the root
DNS entry. It is simply a programming convention to ignore its absence
since it must be present in all fully qualified domain names and,
outside of zone files, is effectively a constant value.

[root at hll107 ~]# ping
ping: cannot resolve Host name lookup failure

[root at hll107 ~]# drill

;; ANSWER SECTION:   3235    IN      A   3235    IN      A

;; AUTHORITY SECTION:   109408  IN      NS   109408  IN      NS   109408  IN      NS   109408  IN      NS   109408  IN      NS   109408  IN      NS

;; ADDITIONAL SECTION:     103180  IN      A     103180  IN      AAAA    2620:100:9000:1::d0     103180  IN      A     103180  IN      AAAA    2620:100:9004:1::d0    103180  IN      A    103180  IN      AAAA    2001:502:f3ff::87

;; Query time: 0 msec
;; WHEN: Tue Feb  6 10:09:44 2018
;; MSG SIZE  rcvd: 370

[root at hll107 ~]#


[root at inet19 ~]# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=53 time=51.918 ms

[root at inet19 ~]# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=53 time=51.988 ms

The problem is with the jail setup.  Specifically, with
/etc/resolv.conf.  I created another jail on the same host and it did
not exhibit this problem.  I then destroyed hll107 and recreated it. 
I ran service local_unbound onestart from hll107's console which built
the default setup configuration. I then tried to ping an outside
address.  It worked..

The next step I took revealed the source of the problem but not its
cause.  We host our own delegated DNS. When I configured
/etc/resolv.conf on hll107 to this:


The problem returned.

If instead I configured hll107:/etc/resolv.conf to this:


Then ping worked on hll107.  The ip_addr is configured on
the host system as lo2:

# Cloned i/f and assigned ipv4 addr for jails
cloned_interfaces="lo1 lo2 lo3"   # For shared jail configuration

And the jail network is configured like this:

export jail_hll107_hostname=""
export jail_hll107_ip="lo2|,vtnet0|"

Note that local_unbound worked with both resolv.conf settings.  But
both ping and pkg gave me grief with the first and worked with the

My understanding, admittedly perfunctory, has been that one is
SUPPOSED to use inside a jail wherever the standard loopback
address is required. And that the jail system takes care of remapping to whatever address is assigned to the loopback interface
that the jail is configured to use.

What have I misunderstood?  Had I misconfigured something that is
documented otherwise than what I had done?

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list