DNS in Jail - not reachable from FreeNAS host?

[KrisBee]

Testing on FREENAS 11.2-BETA3
================================

What's my beginner's error? After creating & configuring a "DNS" jail using "dnsmasq" both forward & reverse lookups seem to be working ok within the jail. But lookups using the jail dns server on the FreeNAS host fail with a time out " no servers could be reached" error. The "DNS" jail is on IP 192.168.0.93 and is pingable from the FreeNAs host.

Code:

root@freenasVM[~]# nslookup dns.mynet.com 192.168.0.93
;; connection timed out; no servers could be reached

FreeNAS config:

Code:

root@freenasVM[~]# cat /etc/resolv.conf
# Generated by resolvconf
search mynet.com
nameserver 192.168.0.93
nameserver 192.168.0.254
nameserver 8.8.8.8

Jail at 192.168.0.93 config:

Code:

######################################################################
# dnsmasq Settings for dns Jail
 ######################################################################
# Turn off DHCP
no-dhcp-interface=epair0b

# Only listen on listen-address.
# As configured below, only listen on the local network.
listen-address=127.0.0.1
listen-address=192.168.0.93   # IP of dnsmasq Jail
bind-interfaces
# Never forward simple hostnames (names that do not contain a dot).
domain-needed

# Prevent non-routable private IP addresses from being forwarded.
bogus-priv

# My domain.  Allows lookups using either simple hostnames or
# FQHNs.  For example, either 'laptop' or 'laptop.east.fm'.
domain=mynet.com

# Append the above domain to to simple hostnames (i.e., hostnames
# without a period), thereby creating FQDNs.
expand-hosts

# Queries for my domain answered only by dnsmasq, /etc/hosts, or DHCP.
local=/mynet.com/

# Use DNS servers in order shown
strict-order

# Upstream DNS servers
server=8.8.8.8		 # Google
server=208.67.220.220  # OpenDNS
server=8.8.4.4		 # Google

# Location of our hosts file
addn-hosts=/usr/local/etc/hosts


root@dns:~ # cat /etc/resolv.conf
search local
nameserver 192.168.0.93

root@dns:~ # cat /usr/local/etc/hosts
127.0.0.1	  localhost
# FreeNAS host
192.168.0.91 freenasVM.mynet.com freenasVM
#Jails
192.168.0.92 kerberos-KDC.mynet.com kerberos-KDC
192.168.0.93 dns.mynet.com dns
192.168.0.94 test.mynet.com test

root@dns:~ # nslookup freenasVM 
Server:		 127.0.0.1
Address:		127.0.0.1#53

Name:   freenasVM
Address: 192.168.0.91

root@dns:~ # nslookup 192.168.0.91
91.0.168.192.in-addr.arpa	   name = freenasvm.mynet.com.

root@dns:~ # nslookup FreeBSD.org  
Server:		 127.0.0.1
Address:		127.0.0.1#53

Non-authoritative answer:
Name:   FreeBSD.org
Address: 96.47.72.84
Name:   FreeBSD.org
Address: 2610:1c1:1:606c::50:15

My "DNS" jail was created with VNET, but should Berkeley Packet Filter also be used?
Additional jail properties checked: allow.raw_sockets

 

[dlavigne]

Were you able to figure this out?

 

[KrisBee]

Dru,

This seemed to be a jail/network problem in the virtual environment I was using for testing. Made progress after moving dnsmasq to a VM. It works as expected in a jail on a real machine. It was a prerequisite to running a hiemdal KDC in a separate jail.

 

[itskando]

As a rule of thumb, when should Berkeley Packet Filtering be used,
particularly in situations where a static IP with VNET is used?