Bind inside jail refuse to forward queries

[plexor]

I have a jail acting as a DNS server for my internal domain plexor-int.se. It resolves internal hostnames just fine but does not forward queries for external hostnames.

A query from a client for ftp.freebsd.org gives the following in my named logfile:

02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: using view '_default'
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: request is not signed
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: recursion available
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: query
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: ns_client_attach: ref = 1
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: query 'ftp.freebsd.org.plexor-int.se/A/IN' approved
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: send
02-Mar-2012 12:10:20.889 client 192.168.1.50#60253: sendto
02-Mar-2012 12:10:20.890 client 192.168.1.50#60253: senddone
02-Mar-2012 12:10:20.890 client 192.168.1.50#60253: next
02-Mar-2012 12:10:20.890 client 192.168.1.50#60253: ns_client_detach: ref = 0
02-Mar-2012 12:10:20.890 client 192.168.1.50#60253: endrequest
02-Mar-2012 12:10:20.890 client @0x80200fe00: udprecv
02-Mar-2012 12:10:20.890 socket 0x8018acde8: socket_recv: event 0x80277b130 -> task 0x8018a07e0

For some reason it adds ftp.freebsd.org in front of my domain (ftp.freebsd.org.plexor-int.se/A/IN). How can I make named forward these queries to my ISP's nameservers?

Here is my named.conf:

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	directory	"/etc/namedb/working";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

	listen-on	{ 192.168.1.40; };
	recursion yes;
	allow-query { 192.168.1.0/24; };
	allow-transfer { 192.168.1.0/24; };

	forwarders {
		195.67.199.30;
	};

};


zone "." { type hint; file "/etc/namedb/named.root"; };


zone "localhost"	{ type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "0.ip6.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };

zone "0.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "10.in-addr.arpa"	   { type master; file "/etc/namedb/master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "test" { type master; file "/etc/namedb/master/empty.db"; };
zone "example" { type master; file "/etc/namedb/master/empty.db"; };
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };

zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "240.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "241.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "242.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "243.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "244.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "245.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "246.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "247.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "248.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "249.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "250.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "251.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "252.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "253.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "254.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "1.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "8.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "c.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "e.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "0.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "1.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "2.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "8.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "0.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "1.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "2.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "c.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "8.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "c.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "e.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "f.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

zone "ip6.int"		{ type master; file "/etc/namedb/master/empty.db"; };


key "plexor-int-key" {
	algorithm hmac-md5;
	secret "pzYh8xjXPzF1FcmMjyHstA==";
};
zone "plexor-int.se" {
	type master;
	allow-update {
		key "plexor-int-key";
	};
	file "/etc/namedb/dynamic/plexor-int.se";
};

 

[DutchDaemon]

What's in your resolv.conf? If you have a search statement in there, unresolved hosts may be matched against the search domain. This is not an error.

I see you're using forwarders, but I think you need an additional forward {first|only} statement in there (see named.conf(5)) to activate it. Not sure if it defaults to one of those when not mentioned at all.

 

[vand777]

Please add the green line to your config:

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	directory	"/etc/namedb/working";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

	listen-on	{ 192.168.1.40; };
	recursion yes;
[color="Green"]        allow-recursion { 192.168.1.0/24; };
[/color]
	allow-query { 192.168.1.0/24; };
	allow-transfer { 192.168.1.0/24; };

	forwarders {
		195.67.199.30;
	};

};

Of course, you have to change 192.168.1.0/24 to whatever suits you if necessary.

 

[vand777]

I see you're using forwarders, but I think you need an additional forward {first|only} statement in there (see named.conf(5)) to activate it. Not sure if it defaults to one of those when not mentioned at all.

I guess the default settings will work fine. I haven't added forward {first|only} statement to my config and have no problems with it.

 

[plexor]

Hello and thanks for your replies guys.

It has something to do with my jail not being able to use UDP. I tried the exact same config in a FreeBSD 9.0-RELEASE without jail and it works there. I can see it when I run named in the foreground with debug level 100. My named cannot communicate with the forwarder server. Then it reverts back to query my master zone.

Is there anything I need to think about when using UDP from a jail?

 

[vand777]

Maybe firewall?

 

[plexor]

A question related to this issue. What type of networking is preferred for jails?

Should I use VIMAGE networking instead?