Solved DNS Inside Jail Not Working

Both netmasks will work but it's common to use 255.255.255.255 when the jail IP is an alias of the hosts interface. The IP addresses don't appear to be the problem though. "No address record" always indicates DNS or resolving issues. Check your jail's /etc/resolv.conf, make sure there's at least one valid DNS server.

As drill(1) does seem to work make sure your repositories are set correctly. Check with pkg -vv to see if the URL is correct (it may point to a non-existing hostname). I'd also verify if HTTP_PROXY and friends aren't the cause.

The re0 interface can safely be ignored. Although it's loaded it's not actually active (status: no carrier) so it's not interfering with anything.
 
I am not sure how to set my netmask for the jails but here is the output that you mentioned. The nameserver IP is the host IP. I am wondering if my firewall is blocking the traffic? I do not have any firewalls that I know of running on the jails, but I pasted my pf.conf from the host in case that is helpful.

Code:
brad@mercury:/usr/local/etc/ezjail$ sudo jexec 1 sh
Password:
# cat /etc/resolv.conf
search milkyway
nameserver 192.168.0.101
# pkg -vv
Version  : 1.2.6
PACKAGESITE  :
PKG_DBDIR  : /var/db/pkg
PKG_CACHEDIR  : /var/cache/pkg
PORTSDIR  : /usr/ports
PUBKEY  :
HANDLE_RC_SCRIPTS  : no
ASSUME_ALWAYS_YES  : no
REPOS_DIR  : [
  /etc/pkg/,
  /usr/local/etc/pkg/repos/,
]
PLIST_KEYWORDS_DIR  :
SYSLOG  : yes
AUTODEPS  : yes
ABI  : freebsd:10:x86:64
DEVELOPER_MODE  : no
PORTAUDIT_SITE  : http://portaudit.FreeBSD.org/auditfile.tbz
VULNXML_SITE  : http://www.vuxml.org/freebsd/vuln.xml.bz2
MIRROR_TYPE  : SRV
FETCH_RETRY  : 3
PKG_PLUGINS_DIR  : /usr/local/lib/pkg/
PKG_ENABLE_PLUGINS  : yes
PLUGINS  : [
]
DEBUG_SCRIPTS  : no
PLUGINS_CONF_DIR  : /usr/local/etc/pkg/
PERMISSIVE  : no
REPO_AUTOUPDATE  : yes
NAMESERVER  :
EVENT_PIPE  :
FETCH_TIMEOUT  : 30
UNSET_TIMESTAMP  : no
SSH_RESTRICT_DIR  :
PKG_SSH_ARGS  :
PKG_ENV  : {
}
DISABLE_MTREE  : no
DEBUG_LEVEL  : 0
ALIAS  : {
}

Repositories:
  FreeBSD: {
  url  : "pkg+http://pkg.FreeBSD.org/freebsd:10:x86:64/latest",
  enabled  : yes,
  mirror_type  : "SRV",
  signature_type  : "FINGERPRINTS",
  fingerprints  : "/usr/share/keys/pkg"
  }
#

Code:
brad@mercury:/usr/local/etc/ezjail$ cat /etc/pf.conf
set skip on lo0
interface="re1"
apacheJail="192.168.0.102"
ircJail="192.168.0.103"
plexJail="192.168.0.104"
scrub in all
rdr pass on $interface proto tcp from any to $interface port 80 -> $apacheJail
rdr pass on $interface proto tcp from any to $interface port 6667 -> $ircJail
rdr pass on $interface proto tcp from any to $interface port 32400 -> $plexJail
antispoof for lo0
antispoof for $interface
block in on $interface
pass in on $interface proto tcp from any to any port 2662
pass out on $interface proto {tcp,udp,icmp} all
brad@mercury:/usr/local/etc/ezjail$
 
Try removing both antispoof lines in your /etc/pf.conf. The antispoof on lo0 probably isn't doing anything anyway due to the skip. The other may block packets not having the primary address of the interface.
 
I shouldn't have to mess with my primary fw/router would I? I don't recall having this problem before in 8.x so I doubt it, but just wanted to mention that. I just have the basic setup from PFsense though... I don't understand what is going on with these jails.
 
Add this to your unbound.conf or into one of the local configuration files under /var/unbound/conf.d (10.1-RELEASE+).
Code:
interface-automatic: yes

It seems like drill doesn't care when the reply packet comes back with a different IP address than it was sent to but other utilities silently fail. Without this option, UDP replies from Unbound will originate from the jail IP rather than the host IP the packet was sent to. You can confirm this with tcpdump -i lo0 port 53 before and after making the change.


Not quite sure I follow but this is what I did (no other BSD machines on the LAN).
Used my CentOS desktop to dig @192.168.0.101 google.com and received this output
Code:
brad@EARTH:~$ dig @192.168.0.101 google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> @192.168.0.101 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Regarding this, you would need to add to /etc/pf.conf to allow other machines in your LAN to query DNS:
Code:
pass in on $interface proto { tcp, udp } to any port 53
 
Back
Top