Solved Local DNS not working in Jail

Got a jail with FreeBSD in it. I wanted to run my own DNS, but I seem to be running into problems. I tried using DNS from tor and dnscrypt-proxy. I've set these up before, but now get resolve errors when I enter nameserver 127.0.0.1 in /etc/resolv.conf:

Code:
$ curl -IL google.com
curl: (6) Could not resolve host: google.com

Since my pf rules for the jail included block in all, I figured this needed to be whitelisted. I added the following line:

Code:
pass in proto udp to port 53

Ran pfctl -nf /etc/pf.conf, but no changes when I came back to the jail. I should note that the DNS works perfectly with 8.8.8.8 or other external DNS. I just can't get local DNS to work.

In case someone asks, here is the entire pf.conf:

Code:
ext_if="wlan0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
pass in proto udp to port 53

Thanks

EDIT - I never got a reply, but I started tinkering around. I had the following ip for my jail:

Code:
ifconfig bastille0 | awk '/inet/ { print $2 }'
10.17.89.50

I put that IP as the nameserver in /etc/resolv.conf and suddenly the DNS from tor on port 53 just worked. Just fyi if anyone else runs into this problem.
 
Last edited by a moderator:
One cannot make much use of a nameserver which has no Internet access. A nameserver has to make query (to the upstream server, or recursion) to resolve an external domain name, such as google.com. How Internet connectivity of the jail was checked?
 
pass in proto udp to port 53
You don't want to allow incoming DNS requests, you want to allow outgoing DNS requests (should already be covered by the pass out ... rule). And note that DNS works on port 53 UDP and TCP.
 
Back
Top