Solved Hierarchical jails, pf nat & no yet working dns?

[doublerabbit]

I'm working with Hierarchical jails. The setup is as following:

[host]
-> [jail:infrastructure] [public ip] [no private ip]
      Bridge0 (public) [no bridge ip] {
      -> webstuff jail + public ip
            vm1 [public-ip]
            vm2 [public-ip]
      -> netstuff jail + public ip
            vm3 (dns) [public-ip]
     }

    Bridge1 (private) [192.168.0.1] {
      -> jail:webstuff [Bridge: 192.168.0.2]|[IP: 192.168.0.3]
            vm1 [192.168.0.6]
            vm2 [192.168.0.7]

      -> jail:netstuff [Bridge: 192.168.0.4]|[IP: 192.168.0.5]
            vm3 (dns) [192.168.0.253]
           jail:services [Bridge: 192.168.0.21]|[IP: 192.168.0.22] {
             to-be-jail DNS [192.168.0.250]
             to-be-jail DHCP [192.168.0.251]
           }                                                          
}

And with messing around PF to give me NAT, wanting to use the public IP of the infrastructure jail [192.168.0.1] public IP for all things for net-stuff. Configuring PF on the infrastructure jail, I have succeeded in ping the outside world from the netbox jail.

[From NetStuff]

--- 1.1.1.1 ping statistics --- 4 packets transmitted, 4 packets received,
--- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received

And if I fetch via IP, it obtains files too.

fetch http://some-www-ip/100mb.bin
100mb.bin 23% of 100 MB 8037 kBps 09s

However for whatever reason I am unable to get DNS to resolve, whether using my own DNS server or one of a public (1.1.1.1)
As I have no pkg install, nor nslookup I use host to dig further.

resolv.conf has my dns server as first point of contact which is accessible
--- 192.168.0.253 ping statistics --- 4 packets transmitted, 4 packets received

But using host on it's own fails.

root@netstuff:/ # host forums.freebsd.org
;; connection timed out; no servers could be reached

However if I define it an name-server it resolves just fine.

root@netstuff:/ # host forums.freebsd.org 192.168.0.253
Using domain server:
Name: 192.168.0.253
Address: 192.168.0.253#53
forums.freebsd.org has address x.x.x.x

netstuff services has the gateway of the infrastructure (192.168.0.1) as the default route
netstuff services has my current working DNS server within resolve.conf [192.168.0.253]
netstuff services has no public adapter purely a private vtnet adapter connected to the private bridge and can contact all bridges

I've tried all different rules in allowing all, yet I still can't get DNS working.
So, I know DNS is working as shown above but I can't seem to make it work to resolve any URL.

And my PF conf:

public_interface = "epair7b"
public_bridge = "bridge0"

private_interface = "epair8b"
private_bridge = "bridge1"

private_net = "{ 192.168.0.0/24 }"
private_range = "{192.168.0.21, 192.168.0.22}"

# Setup NAT
nat on $public_interface from $private_net to any -> ($public_interface)
# Rules
pass in on $public_interface from $private_net to $private_range
pass out on $public_interface from $private_range to $private_net

pass in on epair7b from 192.168.0.0/24 to any keep state
pass out on epair7b from any to 192.168.0.0/24 keep state

pass from 192.168.0.22 to any keep state

Any help would be very appreciated.

 

[doublerabbit]

Needed unbound, even though resolv.conf -- it wasn't be parsed until I enabled unbound.