Solved One jail cannot access DNS

I have three jails configured with sysutils/ezjail, two of which have /etc/resolve.conf files and can access the network in the usual way, including DNS lookups. The third jail has no DNS lookup and no /etc/resolve.conf file. I tried copying the file from another jail and service resolv restart and then restarting the jail to no avail.

Both working and non-working jails gave identical results with an abortive ssh on existent and non-existent hosts:
Code:
root@mailin:~ # ssh -l xxxx 10.0.2.100
The authenticity of host '10.0.2.100 (10.0.2.100)' can't be established.
ECDSA key fingerprint is 9e:16:3e:e5:75:67:55:7a:1f:bf:06:5d:36:79:64:e9.
Are you sure you want to continue connecting (yes/no)? n
Please type 'yes' or 'no': no
Host key verification failed.
root@mailin:~ # ssh -l xxxx 10.0.2.111
ssh: connect to host 10.0.2.111 port 22: Operation timed out
root@mailin:~ #

Code:
root@diversediversity:~ # ssh -l xxxx 10.0.2.100
The authenticity of host '10.0.2.100 (10.0.2.100)' can't be established.
ECDSA key fingerprint is 9e:16:3e:e5:75:67:55:7a:1f:bf:06:5d:36:79:64:e9.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
root@diversediversity:~ # ssh -l xxxx 10.0.2.111
ssh: connect to host 10.0.2.111 port 22: Operation timed out
root@diversediversity:~ #

As the host 10.0.2.100 which does exist doesn't allow password log-in and the jails do not have keys I did not want to proceed further, but this suggests to me that some network communication is possible and the problem is mainly with DNS.

ifconfig gives identical results, except for the IP addresses for lo1 for the jails.

Here is the pf set up on the parent machine:
Code:
TRANSLATION RULES:
nat on em0 inet from 127.0.1.1 to any -> (em0) round-robin
nat on em0 inet from 127.0.1.2 to any -> (em0) round-robin
nat on em0 inet from 127.0.1.3 to any -> (em0) round-robin
nat on em0 inet from 127.0.1.4 to any -> (em0) round-robin
nat on em0 inet from 127.0.1.5 to any -> (em0) round-robin
rdr pass on em0 inet proto tcp from any to any port = http -> 127.0.1.1 port 80
rdr pass on em0 inet proto tcp from any to any port = https -> 127.0.1.1 port 44
3
rdr pass on em0 inet proto tcp from any to any port = smtp -> 127.0.1.3 port 25

FILTER RULES:

INFO:
Status: Enabled for 0 days 00:56:34  Debug: Urgent

State Table  Total  Rate
  current entries  0   
  searches  1738  0.5/s
  inserts  7  0.0/s
  removals  7  0.0/s
Counters
  match  1660  0.5/s
  bad-offset  0  0.0/s
  fragment  0  0.0/s
  short  0  0.0/s
  normalize  0  0.0/s
  memory  0  0.0/s
  bad-timestamp  0  0.0/s
  congestion  0  0.0/s
  ip-option  0  0.0/s
  proto-cksum  0  0.0/s
  state-mismatch  0  0.0/s
  state-insert  0  0.0/s
  state-limit  0  0.0/s
  src-limit  0  0.0/s
  synproxy  0  0.0/s

TIMEOUTS:
tcp.first  120s
tcp.opening  30s
tcp.established  86400s
tcp.closing  900s
tcp.finwait  45s
tcp.closed  90s
tcp.tsdiff  30s
udp.first  60s
udp.single  30s
udp.multiple  60s
icmp.first  20s
icmp.error  10s
other.first  60s
other.single  30s
other.multiple  60s
frag  30s
interval  10s
adaptive.start  6000 states
adaptive.end  12000 states
src.track  0s

LIMITS:
states  hard limit  10000
src-nodes  hard limit  10000
frags  hard limit  5000
tables  hard limit  1000
table-entries hard limit  200000

TABLES:

OS FINGERPRINTS:
710 fingerprints loaded

How do I troubleshoot this issue?
 
Thanks for correcting my spelling of the filename. Apologies - I was describing it from memory and added the 'e' from habit. I used SSH to test basic network connectivity since the jails cannot use ping. dig just times out and drill is not installed.

However, after adding a specific nameserver IP (8.8.8.8) to dig I did get results and adding a resolv.conf with two nameserver lines enabled me to restart freshclam which is downloading virus definitions even as I write this. At least, the router lights are flashing away merrily. So now I wonder whether I did spell that file name wrong when copying the file across...
 
Back
Top