On Sat, 14 Feb 2009, Anders Hagman wrote:
Hi,
I am inclined to say that something is not right with your setup and I
am not able to reproduce any of the symptoms on 7-STABLE pre-jail-MFC
but that's not going to help.
Those named inside jail things come up regularly and either end
without any results as people stop to reply or a pilot error quickly
identified. It might be hard to resolve the problem in mail or might
need lots of mails so I'd suggest to take your reply off-list, and
we'll post a summary with the results once things are solved.
I'm trying to use BIND inside a jail and have passed the chroot
problem and have a running named without chroot.
what does netstat -an | grep '\.53' say inside your jail?
The problem is that the jail does not have the address 127.0.0.1 or does not
that's becoming a FAQ and later jail2 man pages say:
:: All connections to/from the loopback address (127.0.0.1 for IPv4, ::1
:: for IPv6) will be changed to be to/from the primary address of the jail
:: for the given address family.
so for your jail (I assume a stock 7.1-RELEASE) ignore the IPv6 part
and the "primary" part as there is only one IP (which is the primary
IP in that case).
use the info in resolv.conf.
When I use the host command I get:
[r...@ippbx1 ~]# host ippbx1
;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53
/etc/resolv.conf
domain kalmar.se
search kalmar.se
man resolv.conf says:
:: The domain and search keywords are mutually exclusive. If more than one
:: instance of these keywords is present, the last instance will override.
so you can remove the domain line.
nameserver 127.0.0.1
tcpdump:
21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto
UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1.
(24)
21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto
UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail
0/0/0 (24
This looks fine from the IP point of view as if 172.16.101.3 is our
jail IP is correct.
As you can see the destination address is 172.16.101.3 despite the name
server address in resolv.conf. The host command does not add the domain as it
should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se".
The host command expects to get an answer from 127.0.0.1.
I am not yet sure where this comes from but if that's really a problem
change it to
nameserver 172.16.101.3
as this is what it is effectively anyway.
Changing the nameserver address in resolv.conf to 172.16.101.3 does not
change anything. Using the FQDN does not help because it's still the wrong
expected address.
Now that does not make any sense. You changed the IP but it still
reporting the "reply from unexpected source: ... expected .."?
The only thing that works is: host ippbx1.kalmar.se
172.16.101.3.
Using ping give a different picture:
You enabled raw sockets for jails?
[r...@ippbx1 ~]# ping ippbx1
ping: cannot resolve ippbx1: Host name lookup failure
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 172.16.101.3
tcpdump:
21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto
UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A?
ippbx1.kalmar.se. (34)
21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto
ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53
unreachable, length 36
ping does add the domain to the query but does not read the address from
resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0
machine and does not run BIND.
I start wondering if you are editing the correct resolve.conf inside
the correct jail and run your commands inside the same jail?
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
