FreeBSD-11.1 Jails and SSL

James B. Byrne byrnejb at harte-lyne.ca
Fri Jul 20 14:12:51 UTC 2018 

On Fri, July 20, 2018 03:28, Per olof Ljungmark wrote:
> On 07/19/18 22:52, James B. Byrne via freebsd-questions wrote:
>>
>> On Thu, July 19, 2018 16:38, Philipp Vlassakakis wrote:
>>>
>>>> Am 19.07.2018 um 22:29 schrieb James B. Byrne
>>>> <byrnejb at harte-lyne.ca>:
>>>>
>>>> UseDNS=YES in /etc/ssh/sshd_config
>>>
>>> Does the problem persists, if you disable this option?
>>>
>>
>> No, it does not persist.  Log ons are now as fast as with any other
>> host.  Why is UseDNS=YES (the default setting) a problem inside a
>> jail and nowhere else?
>>
>
> It is a "problem" in all setups where UseDNS=YES is defined and DNS
> for the host is not configured, not only in jails.
>
> It could be for example your jailed hosts /etc/resolv.conf or your DNS
> zone.
>

The 'problem' was this:

# service local_unbound status
local_unbound is running as pid 27026.

# cat /etc/resolv.conf
search hamilton.harte-lyne.ca harte-lyne.ca
nameserver 127.0.0.1
nameserver 216.185.71.33
nameserver 216.185.71.34
options edns0 timeout:5 attempts:3

Delay and timeouts encountered with DNS resolution.

The first 'solution' was this:

# cat /etc/resolv.conf
search hamilton.harte-lyne.ca harte-lyne.ca
#nameserver 127.0.0.1
nameserver 216.185.71.33
nameserver 216.185.71.34
options edns0 timeout:5 attempts:3

No delay or timeouts with DNS resolution

The second solution was this:

# cat /etc/resolv.conf
search hamilton.harte-lyne.ca harte-lyne.ca
#nameserver 127.0.0.1
nameserver 127.0.31.1
nameserver 216.185.71.33
nameserver 216.185.71.34
options edns0 timeout:5 attempts:3

No delay or timeouts with DNS resolution

Where 127.0.31.1 is the address assigned to the cloned loopback
interface of the jail in question.  Evidently the system resolver does
not follow the jail convention that 127.0.0.1 is remapped to whatever
ip-addr is assigned to the jail's lo.

I seem to recall having run into this before but I had forgotten about
it, if indeed my dim recollection is correct.

The lesson is simple: if, on a jail, one uses a resolver configuration
file that includes the localhost then one MUST make sure that the
loopback address used is that actually assigned to the 'lo' interface.

Postfix and amavisd have similar issues when run in jails.  The 
'inet_interfaces' directive in Postfix MUST use the actual addresses
assigned to the loopback interface and amavisd MUST have '@inet_acl'
adjusted in /usr/local/etc/amavisd.conf to allow that specific
ip-addr.

Thanks for the help.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list