Re: BIND in jail problem
Hi responding to my own mail with a solution: If you spell right resolv and not reslov everything works. [r...@ippbx1 ~]# mv /etc/reslov.conf /etc/resolv.conf [r...@ippbx1 ~]# host ippbx1 ippbx1.kalmar.se has address 172.16.101.3 Working with bash helps you spell. ;- Hi I'm trying to use BIND inside a jail and have passed the chroot problem and have a running named without chroot. The problem is that the jail does not have the address 127.0.0.1 or does not use the info in resolv.conf. When I use the host command I get: [r...@ippbx1 ~]# host ippbx1 ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 127.0.0.1 tcpdump: 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.62278 172.16.101.3.53: 28477+ A? ippbx1. (24) 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.53 172.16.101.3.62278: 28477 ServFail 0/0/0 (24 As you can see the destination address is 172.16.101.3 despite the name server address in resolv.conf. The host command does not add the domain as it should and sends the query as A? ippbx1 instead of A? ippbx1.kalmar.se. The host command expects to get an answer from 127.0.0.1. Changing the nameserver address in resolv.conf to 172.16.101.3 does not change anything. Using the FQDN does not help because it's still the wrong expected address. The only thing that works is: host ippbx1.kalmar.se 172.16.101.3. Using ping give a different picture: [r...@ippbx1 ~]# ping ippbx1 ping: cannot resolve ippbx1: Host name lookup failure /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 172.16.101.3 tcpdump: 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto UDP (17), length 62) 172.16.101.3.60878 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se. (34) 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto ICMP (1), length 56) 127.0.0.1 172.16.101.3: ICMP 127.0.0.1 udp port 53 unreachable, length 36 ping does add the domain to the query but does not read the address from resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 machine and does not run BIND. uname -a FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0 named -v BIND 9.4.2-P2 named.conf: zone kalmar.se{ type master; file master/kalmar; }; zone 101.16.172.in-addr.arpa { type master; file master/kalmar.rev; }; zone file kalmar: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. ippbx1 IN A 172.16.101.3 zone file kalmar.rev: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. 3 IN PTR ippbx1.kalmar.se. Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab and want to run six autonomous jails with DNS, DHCP, NTP and asterisk inside. DHCP and Asterisk works but DNS is vital for the lab. BR Anders H ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: BIND in jail problem
On Sat, 14 Feb 2009, Anders Hagman wrote: Hi, I am inclined to say that something is not right with your setup and I am not able to reproduce any of the symptoms on 7-STABLE pre-jail-MFC but that's not going to help. Those named inside jail things come up regularly and either end without any results as people stop to reply or a pilot error quickly identified. It might be hard to resolve the problem in mail or might need lots of mails so I'd suggest to take your reply off-list, and we'll post a summary with the results once things are solved. I'm trying to use BIND inside a jail and have passed the chroot problem and have a running named without chroot. what does netstat -an | grep '\.53' say inside your jail? The problem is that the jail does not have the address 127.0.0.1 or does not that's becoming a FAQ and later jail2 man pages say: :: All connections to/from the loopback address (127.0.0.1 for IPv4, ::1 :: for IPv6) will be changed to be to/from the primary address of the jail :: for the given address family. so for your jail (I assume a stock 7.1-RELEASE) ignore the IPv6 part and the primary part as there is only one IP (which is the primary IP in that case). use the info in resolv.conf. When I use the host command I get: [r...@ippbx1 ~]# host ippbx1 ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 /etc/resolv.conf domain kalmar.se search kalmar.se man resolv.conf says: :: The domain and search keywords are mutually exclusive. If more than one :: instance of these keywords is present, the last instance will override. so you can remove the domain line. nameserver 127.0.0.1 tcpdump: 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.62278 172.16.101.3.53: 28477+ A? ippbx1. (24) 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.53 172.16.101.3.62278: 28477 ServFail 0/0/0 (24 This looks fine from the IP point of view as if 172.16.101.3 is our jail IP is correct. As you can see the destination address is 172.16.101.3 despite the name server address in resolv.conf. The host command does not add the domain as it should and sends the query as A? ippbx1 instead of A? ippbx1.kalmar.se. The host command expects to get an answer from 127.0.0.1. I am not yet sure where this comes from but if that's really a problem change it to nameserver 172.16.101.3 as this is what it is effectively anyway. Changing the nameserver address in resolv.conf to 172.16.101.3 does not change anything. Using the FQDN does not help because it's still the wrong expected address. Now that does not make any sense. You changed the IP but it still reporting the reply from unexpected source: ... expected ..? The only thing that works is: host ippbx1.kalmar.se 172.16.101.3. Using ping give a different picture: You enabled raw sockets for jails? [r...@ippbx1 ~]# ping ippbx1 ping: cannot resolve ippbx1: Host name lookup failure /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 172.16.101.3 tcpdump: 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto UDP (17), length 62) 172.16.101.3.60878 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se. (34) 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto ICMP (1), length 56) 127.0.0.1 172.16.101.3: ICMP 127.0.0.1 udp port 53 unreachable, length 36 ping does add the domain to the query but does not read the address from resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 machine and does not run BIND. I start wondering if you are editing the correct resolve.conf inside the correct jail and run your commands inside the same jail? /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org