Bug #247

Name resolution from within a jail?

Added by qhwt+dfly almost 8 years ago. Updated over 7 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hello.
After upgrading an SMP test box in my office from 1.4 to 1.6, I noticed
a rag in name resolution from within a jail. Actually the machine has
two jails running, and another jail is on the same IP address as the jail
host (but services on that jail are using different ports than the
jail host) doesn't have this problem.

$ jls; ifconfig em0
JID IP Address Hostname Path
2 192.168.2.18 dell /home/jail/dell
1 192.168.2.20 repos /home/jail/repos
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3<RXCSUM,TXCSUM>
inet6 fe80::209:6bff:fe09:9f58%em0 prefixlen 64 scopeid 0x1
inet 192.168.2.18 netmask 0xffffff00 broadcast 192.168.2.255
inet 192.168.2.20 netmask 0xffffffff broadcast 192.168.2.20
ether 00:09:6b:09:9f:58
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

the jail named `repos' is the one having name resolution problem.
this machine has been working as cvsup server/pserver for other
machines on LAN without changing the configuration for more than a month
(in fact it was working just before the reboot after installing the new
kernel).

I tried netcat (pkgsrc/net/netcat) and confirmed that sending/receiving UDP
packets in both direction without problems. So apparently neither UDP
nor routing are the source of the problem.

Then I started tcpdump on another machine(192.168.2.175) running named,
and found that DNS queries from a jail on an IP alias are received but
not responded to by that machine:

A DNS query from the jail host(which is responded to by 192.168.2.175)
14:24:50.669966 192.168.2.18.1256 > 192.168.2.175.domain: 8711+ ANY? . (17)
0x0000 4500 002d e17a 0000 4011 1334 c0a8 0212 E..-.z..@..4....
0x0010 c0a8 02af 04e8 0035 0019 5184 2207 0100 .......5..Q."...
0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............

A DNS query from `repos'(not responded to)
14:25:05.099087 192.168.2.20.1257 > 192.168.2.175.domain: 60734+ ANY? . (17)
0x0000 4500 002d e1eb 0000 4011 12c1 c0a8 0214 E..-....@.......
0x0010 c0a8 02af 04e9 0035 0019 8649 ed3e 0100 .......5...I.>..
0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............

Does anyone have any idea why the second query is ignored?

I set up a similar jail on a machine running HEAD(with a different network
driver) and it still reproduced.

Cheers.

History

#1 Updated by joerg almost 8 years ago

On Tue, Jul 18, 2006 at 03:19:38PM +0900, YONETANI Tomokazu wrote:
> Then I started tcpdump on another machine(192.168.2.175) running named,
> and found that DNS queries from a jail on an IP alias are received but
> not responded to by that machine:
>
> A DNS query from the jail host(which is responded to by 192.168.2.175)
> 14:24:50.669966 192.168.2.18.1256 > 192.168.2.175.domain: 8711+ ANY? . (17)
> 0x0000 4500 002d e17a 0000 4011 1334 c0a8 0212 E..-.z..@..4....
> 0x0010 c0a8 02af 04e8 0035 0019 5184 2207 0100 .......5..Q."...
> 0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............
>
> A DNS query from `repos'(not responded to)
> 14:25:05.099087 192.168.2.20.1257 > 192.168.2.175.domain: 60734+ ANY? . (17)
> 0x0000 4500 002d e1eb 0000 4011 12c1 c0a8 0214 E..-....@.......
> 0x0010 c0a8 02af 04e9 0035 0019 8649 ed3e 0100 .......5...I.>..
> 0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............
>
> Does anyone have any idea why the second query is ignored?

Have you verified that the ARP cache of the DNS server contains entries
for both IP addresses? That's what I can think of immediately.

Joerg

#2 Updated by qhwt+dfly almost 8 years ago

On Tue, Jul 18, 2006 at 01:59:48PM +0200, Joerg Sonnenberger wrote:
> On Tue, Jul 18, 2006 at 03:19:38PM +0900, YONETANI Tomokazu wrote:
> > Then I started tcpdump on another machine(192.168.2.175) running named,
> > and found that DNS queries from a jail on an IP alias are received but
> > not responded to by that machine:
> >
> > A DNS query from the jail host(which is responded to by 192.168.2.175)
> > 14:24:50.669966 192.168.2.18.1256 > 192.168.2.175.domain: 8711+ ANY? . (17)
> > 0x0000 4500 002d e17a 0000 4011 1334 c0a8 0212 E..-.z..@..4....
> > 0x0010 c0a8 02af 04e8 0035 0019 5184 2207 0100 .......5..Q."...
> > 0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............
> >
> > A DNS query from `repos'(not responded to)
> > 14:25:05.099087 192.168.2.20.1257 > 192.168.2.175.domain: 60734+ ANY? . (17)
> > 0x0000 4500 002d e1eb 0000 4011 12c1 c0a8 0214 E..-....@.......
> > 0x0010 c0a8 02af 04e9 0035 0019 8649 ed3e 0100 .......5...I.>..
> > 0x0020 0001 0000 0000 0000 0000 ff00 0100 ..............
> >
> > Does anyone have any idea why the second query is ignored?
>
> Have you verified that the ARP cache of the DNS server contains entries
> for both IP addresses? That's what I can think of immediately.

Aha, that was it: the ARP entry for the aliased address is shown
as <incomplete> on the DNS server after sending packets from it.

And you can do this on R1.4 but not on HEAD or R1.6:
$ ping -nc1 -S <alias> <dns server>

#3 Updated by corecode almost 8 years ago

fixed by me

Also available in: Atom PDF