Issues with Name Resolution Using local-unbound Inside a Jail on FreeBSD

S

solracCASSF

Hi everyone,

I'm facing difficulties with resolving domain names using local-unbound inside a jail on FreeBSD. Here's the situation:

  • Inside the jail, when I try to resolve domain names, I get the following error:

    sh: 
    /root@[21:53] # ping -4 freebsd.org
ping: cannot resolve freebsd.org: Host name lookup failure
  • However, I have connectivity and my DNS server is responding correctly:

    sh: 
    /root@[21:54] # drill facebook A @10.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6199
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; facebook.  IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
. 2870    IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2024121101 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 405 msec
;; SERVER: 10.0.0.1
;; WHEN: Wed Dec 11 21:54:52 2024
;; MSG SIZE  rcvd: 101
  • Additional tests show that other domain names are being resolved correctly outside the jail:

    sh: 
    /root@[21:55] # host facebook.com
facebook.com has address 31.13.90.35
facebook.com has IPv6 address 2a03:2880:f17c:81:face:b00c:0:25de
facebook.com mail is handled by 10 smtpin.vvv.facebook.com.

Here are the configurations from pf.conf for NAT and DNS traffic:
sh: 
# NAT for outgoing traffic from jails
nat on $ext_if from $jail_if:network to any -> ($ext_if) round-robin

# Allow DNS traffic from jails to the host
pass in on $jail_if proto { tcp udp } from $jail_if:network to 10.0.0.1 port domain keep state

# Allow DNS over TLS from jails to the host
pass in on $jail_if proto tcp from $jail_if:network to 10.0.0.1 port domain-s keep state

I have checked the Unbound and /etc/resolv.conf configurations, as well as the network permissions of the jail, but the problem persists. Any guidance or tips on how to solve this issue would be greatly appreciated.

Thanks in advance for the help!
 
i had similar issues trying to use unbound in a jail

i think its related to the lo0 network interface
jails usually have a cloned lo0 as lo1

which i think causes issues with unbound
 
Hi!

Emrion said:
What is the content of /etc/resolv.conf of this jail?
Click to expand...

Here is contente of the jail's /etc/resolv.conf:
Code: 
:/root@[9:51] # cat /etc/resolv.conf
options inet6 disable
nameserver 10.0.0.1   
#nameserver 1.1.1.1 # test

-> 10.0.0.1 is my local_unbound

When I test by using an external DNS server, its works normally.
 
Hi, NapoleonWils0n

NapoleonWils0n said:
i had similar issues trying to use unbound in a jail

i think its related to the lo0 network interface
jails usually have a cloned lo0 as lo1

which i think causes issues with unbound
Click to expand...

I’m using CBSD for managing my jails, and instead of relying on a loopback interface inside the jail, I have a dedicated bridge interface for the jail network. Here’s what ifconfig shows for bridge1:

Code: 
bridge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 58:9c:fc:10:67:1f
    inet 10.0.0.2 netmask 0xffffffff broadcast 10.0.0.2
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    groups: bridge
 
Hi Mate

i havent tried cbsb thats on my to do list
also havent tried a bridge in a jail either

i didnt look into unbound in a jail in any detail
i just couldnt get it working with the loopback device
 
build-in unbound is restricted only to the local queries.

You need to allow the local subnet to do queries

Example config:
/var/unbound/unbound.conf

Code: 
# unbound.conf(5) config file for local-unbound(8).
       server:
            directory: "/etc/unbound"
            username: unbound
            # make sure local-unbound can access entropy from inside the chroot.
            # e.g. on linux the use these commands (on BSD, devfs(8) is used):
            #      mount --bind -n /dev/urandom /etc/unbound/dev/urandom
            # and  mount --bind -n /dev/log /etc/unbound/dev/log
            chroot: "/etc/unbound"
            # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
            pidfile: "/etc/unbound/unbound.pid"
            # verbosity: 1      # uncomment and increase to get more logging.
            # listen on all interfaces, answer queries from the local subnet.
            interface: 0.0.0.0
            interface: ::0
            access-control: 10.0.0.0/8 allow
            access-control: 2001:DB8::/64 allow
 
Last edited:
You must log in or register to reply here.
Back
Top