Solved Unable to connect to BIND9 service in a Jail

[Ferocious1881]

My jail is setup by

dns0 {
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 5;

path = "/jails/${name}";
host.hostname = "${name}";

$unterid = "3";
$id = "${unterid}";
$ip = "192.168.0.${unterid}/24";
$gateway = "192.168.0.1";
$bridge = "bridge0";
$epair = "epair${id}";

vnet;
vnet.interface = "${epair}b";

exec.prestart  = "/sbin/ifconfig ${epair} create up";
exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}";
exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
exec.prestart += "/sbin/ifconfig ${epair}a ether 02:22:22:22:22:0a";
exec.prestart += "/sbin/ifconfig ${epair}b ether 02:22:22:22:22:0b";
exec.start    += "/sbin/ifconfig ${epair}b ${ip} up";
exec.start    += "/sbin/route add default ${gateway}";
exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
exec.poststop += "/sbin/ifconfig ${epair}a destroy";
}

My bridge configuration is ifconfig bridge0 inet 192.168.0.0/24 addm em0.

After starting the jail, I ran the command sequence inside the jail

pkg install bind-tools bind918
cp named.conf /usr/local/etc/namedb/named.conf
chown bind:bind /usr/local/etc/namedb/named.conf
chmod 655 /usr/local/etc/namedb/named.conf
mkdir -p /var/named
chmod 775 /var/named/
chown bind:bind /var/named
mkdir -p /var/named/data
chown -R bind:bind /var/named/
chmod -R 664 /var/named/
chmod 775 /var/named/
chmod 775 /var/named/data
sysrc altlog_proglist+=named
service named enable
service named start
service named restart
service named reload

with named.conf containing

acl LAN {
     192.168.0.0/24;
};

acl ALLEN_LOCALHOST {
     127.0.0.1/32;
};

acl PUBLIC0 {
     192.168.0.3;
};

options {
  directory "/var/named";
  allow-recursion { LAN; localhost; };
  forwarders {
    1.1.1.1; // Cloudflare
    208.67.222.222; // OpenDNS
  };

  listen-on { PUBLIC0; localhost; };
  listen-on-v6 { none; };

  pid-file "/var/run/named/pid";

  allow-transfer port 53 { PUBLIC0; 0.0.0.0; };
  allow-query { localhost; LAN; };

  recursion yes;

  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
};

Finally when trying to access the dns service from the jail itself wit jexec 9 dig google.com @127.0.0.1 -p 53 I get the error:

;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.18.29 <<>> google.com @127.0.0.1 -p 53
;; global options: +cmd
;; no servers could be reached

Same error happens with jexec 9 dig google.com @0.0.0.0 -p 53 and jexec 9 dig google.com @192.168.0.3 -p 53
When running jexec 9 sockstat -4 -l I get the following output:

USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
bind     named      11891 21  tcp4   127.0.0.1:953         *:*
bind     named      11891 22  tcp4   127.0.0.1:953         *:*
root     syslogd     8067 6   udp4   *:514                 *:*

and when running nmap 192.168.0.3 from my linux lapton in the same network I got the output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 09:58 CST
Nmap scan report for 192.168.0.3
Host is up (0.0014s latency).
All 1000 scanned ports on 192.168.0.3 are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

How solve this problem?

 

[covacat]

see bind logs, it does not listen on *:53

 

[NapoleonWils0n]

also jails dont have an lo0 network interface
had a similar issue with trying to run unbound in a jail

 

[SirDice]

listen-on { PUBLIC0; localhost; };

You don't stick an ACL in here.

 

[Ferocious1881]

see bind logs, it does not listen on *:53

My config file states explicitly that it must listen in port 53 (think so).
There is the log file from jexec 9 cat /var/log/messages

Sep 18 17:21:50 dns0 named[51469]: starting BIND 9.18.29 (Extended Support Version) <id:>
Sep 18 17:21:50 dns0 named[51469]: running on FreeBSD amd64 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC
Sep 18 17:21:50 dns0 named[51469]: built with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.0' 'build_alias=amd64-portbld-freebsd14.0' 'CC=cc' 'CFLAGS=-O2 -pipe  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'PYTHON=/usr/local/bin/python3.11' 'READLINE_CFLAGS=-L/usr/local/lib'
Sep 18 17:21:50 dns0 named[51469]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Sep 18 17:21:50 dns0 named[51469]: compiled by CLANG FreeBSD Clang 16.0.6 (https://github.com/llvm/llvm-project.git llvmorg-16.0.6-0-g7cbf1a259152)
Sep 18 17:21:50 dns0 named[51469]: compiled with OpenSSL version: OpenSSL 3.0.12 24 Oct 2023
Sep 18 17:21:50 dns0 named[51469]: linked to OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
Sep 18 17:21:50 dns0 named[51469]: compiled with libuv version: 1.48.0
Sep 18 17:21:50 dns0 named[51469]: linked to libuv version: 1.48.0
Sep 18 17:21:50 dns0 named[51469]: compiled with libxml2 version: 2.11.8
Sep 18 17:21:50 dns0 named[51469]: linked to libxml2 version: 21108
Sep 18 17:21:50 dns0 named[51469]: compiled with json-c version: 0.17
Sep 18 17:21:50 dns0 named[51469]: linked to json-c version: 0.17
Sep 18 17:21:50 dns0 named[51469]: compiled with zlib version: 1.3
Sep 18 17:21:50 dns0 named[51469]: linked to zlib version: 1.3.1
Sep 18 17:21:50 dns0 named[51469]: ----------------------------------------------------
Sep 18 17:21:50 dns0 named[51469]: BIND 9 is maintained by Internet Systems Consortium,
Sep 18 17:21:50 dns0 named[51469]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 18 17:21:50 dns0 named[51469]: corporation.  Support and training for BIND 9 are
Sep 18 17:21:50 dns0 named[51469]: available at https://www.isc.org/support
Sep 18 17:21:50 dns0 named[51469]: ----------------------------------------------------
Sep 18 17:21:50 dns0 named[51469]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
Sep 18 17:21:50 dns0 named[51469]: DS algorithms: SHA-1 SHA-256 SHA-384
Sep 18 17:21:50 dns0 named[51469]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
Sep 18 17:21:50 dns0 named[51469]: TKEY mode 2 support (Diffie-Hellman): yes
Sep 18 17:21:50 dns0 named[51469]: TKEY mode 3 support (GSS-API): no
Sep 18 17:21:50 dns0 named[51469]: command channel listening on 127.0.0.1#953
Sep 18 17:21:50 dns0 named[51469]: command channel listening on ::1#953
Sep 18 17:21:50 dns0 named[51469]: all zones loaded
Sep 18 17:21:50 dns0 named[51469]: running
Sep 18 17:21:50 dns0 named[51469]: resolver priming query complete: failure
Sep 18 17:21:50 dns0 named[51469]: managed-keys-zone: Unable to fetch DNSKEY set '.': failure
Sep 18 17:21:50 dns0 named[51469]: creating IPv4 interface lo0 failed; interface ignored

 

[Ferocious1881]

And trying to run jexec 9 dig google.com -p 953 @localhost also gives me the same error

;; communications error to 127.0.0.1#953: connection refused
;; communications error to 127.0.0.1#953: connection refused
;; communications error to 127.0.0.1#953: connection refused

; <<>> DiG 9.18.29 <<>> google.com -p 953 @localhost
;; global options: +cmd
;; no servers could be reached

 

[Ferocious1881]

also jails dont have an lo0 network interface
had a similar issue with trying to run unbound in a jail

Running jexec 9 ifconfig gives me

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair3b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.0.3 netmask 0xffffff00 broadcast 192.168.0.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

 

[Ferocious1881]

You don't stick an ACL in here.

It worked in my original setup in a Alpine Linux Virtual Machine

 

[Ferocious1881]

It worked in my original setup in a Alpine Linux Virtual Machine

And removing the ACL from the listen on as said here

You don't stick an ACL in here.

It worked