BIND9 inside an 'ip4 = inherit' jail

[tuaris]

I have a FreeBSD 14.0 system with a 14.0-RELEASE jail:

dns {
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_console_${name}.log";

  allow.raw_sockets;
  exec.clean;
  mount.devfs;

  host.hostname = "${name}";
  path = "/usr/local/jails/${name}";

  ip4 = inherit;
}

jls
   JID  IP Address      Hostname                      Path
....
     6                  dns.test.local                 /usr/local/jails/dns

Networking is setup to share the host system's IP address.

ifconfig
vmx0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:50:56:96:b6:18
    inet 192.168.0.209 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

jexec dns ifconfig
vmx0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:50:56:96:b6:18
    inet 192.168.0.209 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect
    status: active
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    groups: lo

I have the dns/bind916 package installed inside the jail:

pkg --jail dns info -x bind9
bind916-9.16.50_1

It's configured to allow recursion and forward requests to another DNS resolver (it's currently open to any for the purpose of troubleshooting):

options {
    recursion yes;
    allow-recursion { any; };
    listen-on    { any; };

    forwarders {
        192.168.0.10;
        192.168.0.11;
    };
};

The DNS server starts correctly:

sockstat -4ln -j dns
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
53       named      51837 27  udp4   192.168.0.209:53      *:*
53       named      51837 28  udp4   192.168.0.209:53      *:*
53       named      51837 29  tcp4   192.168.0.209:53      *:*
53       named      51837 30  tcp4   192.168.0.209:53      *:*
53       named      51837 33  udp4   127.0.0.1:53          *:*
53       named      51837 34  udp4   127.0.0.1:53          *:*
53       named      51837 35  tcp4   127.0.0.1:53          *:*
53       named      51837 36  tcp4   127.0.0.1:53          *:*
53       named      51837 37  tcp4   127.0.0.1:953         *:*

If I try to do a recursive query it fails:

drill @127.0.0.1 www.freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 28015
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.freebsd.org.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 697 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed May  8 02:39:15 2024
;; MSG SIZE  rcvd: 33

If I remember correctly, I think there is some weird quirk with BIND and jails that requires me to add something extra to the jail's configuration. I don't remember what that is.

 

[SirDice]

What does drill @192.168.0.209 www.freebsd.org do?

You can also start bind in a chroot, there's really no need for a full jail. A jail is nice but also requires extra maintenance as you need to keep the jail updated too. The chroot(8) way doesn't require any additional set up or maintenance while still providing extra security.

# named_chrootdir (str):            Chroot directory (or "" not to auto-chroot it)
#                                   Historically, was /var/named
# named_chroot_autoupdate (bool):   Automatically install/update chrooted
#                                   components of named.

dice@maelcum:~ % ll /var/named/
total 3
dr-xr-xr-x  9 root wheel 512 Apr 13 17:52 dev/
drwxr-xr-x  2 root wheel   5 Jun  4  2023 etc/
drwxrwxrwt  2 root wheel   2 Jun  4  2023 tmp/
drwxr-xr-x  4 root wheel   4 Jun  4  2023 usr/
drwxr-xr-x  6 root wheel   6 Jun  4  2023 var/

Don't need to set this up in advance, the rc(8) script will take care of it automatically.

named_enable="YES"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"

And keep in mind that dns/bind916 has been removed, it's been deprecated (although it might still be available in quarterly). Nothing major, just use dns/bind918 instead.

 

[tuaris]

What does drill @192.168.0.209 www.freebsd.org do?

It was doing the same thing

After much experimenting, I was able to make it 'work' by adding

dnssec-validation no;

Not ideal because I do want DNSSEC functionality (eventually).

Slightly related. Looks like drill is acting a little weird. Noticed that it randomly returns REFUSED when I do queries to only @localhost (anything else like the systems real IP and 127.0.0.1 work just fine). Wasn't able to replicate that with dig, it's consistently worked every time. I observed this on at least 2 hosts on different nets, each with different versions of FreeBSD (13 vs 14) and BIND (916 vs 918). The one thing they have in common is they are VM's.