Jail /etc/resolv.conf not working as expected (SOLVED)

[Dennis Lovelady]

I am running Version: FreeNAS-11.3-U5 .

In the Jail configuration for my 11-3-RELEASE-P10 jail, under NETWORK and then RESOLVER, I have the option, according to the GUI, to specify "none" in which case the host's /etc/resolv.conf will overlay the jail's own. Alternatively, according to the same GUI, entries can be made here which will be "added to" the resolver configuration file. I have tried both the "none" option, and the specific-setting option. My experience is that these values are being overlooked, and instead the information from the DHCP server is being used. The information from the DHCP server is not what I want for this server (it should use an internal DNS server instead), and so this option is important to me. But it does not seem to be functional.

The attached image, resolver.png, shows both the saved configuration (you can tell since it's greyed-out), as well as the content of /etc/resolv.conf.

Please advise how we can override the DNS provided by the DHCP server.

 

[unseen]

If the jail is getting its IP address set by DHCP and the DHCP server also sets the DNS address, then that's what you will get.

The solution is to set the IP address, default route and DNS server as a static configuration and pin the IP address to the MAC address in your DHCP server so that it does not give the IP address to any other client. Or, assign an IP address which is outside the range that the DHCP server can allocate to clients.

 

[Dennis Lovelady]

If the jail is getting its IP address set by DHCP and the DHCP server also sets the DNS address, then that's what you will get.

The solution is to set the IP address, default route and DNS server as a static configuration and pin the IP address to the MAC address in your DHCP server so that it does not give the IP address to any other client. Or, assign an IP address which is outside the range that the DHCP server can allocate to clients.

I have a few problems with this reply. For one, if this is only supposed to work when DHCP is unselected, then one would hope its entry would be disabled when DHCP is specified. Additionally, one would hope there would at least be a mention of this limitation within the GUI. Also, I do not find this limitation mentioned when searching. I do know that DHCP has the option of setting DNS and other things. I also know that most servers have a way of ignoring that DHCP DNS setting. There is no reason that a Jail should have such limitation.

 

[jgreco]

Jails are a standard FreeBSD feature.

If you have your DHCP server pass out DNS server addresses, it will stomp on what might have been put there by the GUI. There is no requirement that DHCP responses include DNS servers, so greying out nameserver configuration when DHCP is enabled would break people who are not-in-your-situation, so your suggestion will fail for such users. There is really no way to know what answer a DHCP server might hand out.

Configuring your system so that there are multiple authorities for information is really a PEBCAK issue. UNIX is extremely flexible, and you can hand the information out via DHCP, or you can set it via the GUI, or you can even just hardwire it into the jail's resolv.conf and then set schg on resolv.conf once it is configured the way you'd like -- and these are just the common ways to set it.

What you seem to be expecting is for the GUI to figure all of these possibilities out for you, and guide you into not making a mistake. This isn't really feasible, as there is no way for the GUI to know what the DHCP server is going to hand out, or what other way of managing resolv.conf might be in use.

 

[Dennis Lovelady]

What you seem to be expecting is for the GUI to figure all of these possibilities out for you, and guide you into not making a mistake. This isn't really feasible, as there is no way for the GUI to know what the DHCP server is going to hand out, or what other way of managing resolv.conf might be in use.

Thank you for your enlightenment, @jgreco. You are correct, of course.

So in this case, the issue is with the AT&T BGW210 modem, which insists on setting the DNS with each DHCP request (there is no user configuration to override it). This is not my first issue with AT&T and that modem. (For example, it's not allowed to have a 10.*.*.* DHCP network at all behind that modem.) I'm slowly migrating the network to a configuration like INET->BGW-210(192.168.*)->RPi(10.*.*.*)->rest of the network (10.*.*.*) (where RPi will serve as a router for everything); guess I need to step up that process. Eliminating AT&T from the picture is not an option at present (though I loathe to say so.)

There are too many servers involved in this business-ish network (some I have complete control over, some demand DHCP) for manual /etc/hosts and so on to make sense. So where I can, I currently point DNS to an internal DNSMASQ RPi system.

I appreciate the explanation, and will drop the issue.

 

[jgreco]

Yeah, residential broadband CPE devices are generally crap. Sorry. :-/

 

[Patrick M. Hausen]

@Dennis Lovelady You could try if creating an entry in /etc/dhclient.conf inside the jail that reads roughly like this:

Code:

interface "epair0b" {
  supersede domain-name-servers 1.2.3.4;
}

does what you would like to achieve. I refer you to the dhclient.conf(5) manpage for details.

HTH,
Patrick

 

[Dennis Lovelady]

EXCELLENT!! Thank you!!!

@Dennis Lovelady You could try if creating an entry in /etc/dhclient.conf inside the jail that reads roughly like this:

Code:

interface "epair0b" {
  supersede domain-name-servers 1.2.3.4;
}

does what you would like to achieve. I refer you to the dhclient.conf(5) manpage for details.

HTH,
Patrick

Thank you very much, @Patrick M. Hansen.

I have put this into my /etc/dhclient.conf file (comments excluded):

Code:

interface "epair0b" {
    supersede domain-name "lovelady.com";
    prepend domain-name-servers 192.168.1.202;
    }

EXCELLENT!!! It did what I want! Thanks so much!

Well, technically there is an anomaly but it's not in my way. I specified supersede for the domain name and it prepended it instead (preserving attlocal.net at the end). I don't mind much, but would love to understand why that might be.

Code:

> cat /etc/resolv.conf
# Generated by resolvconf
search lovelady.com attlocal.net
nameserver 192.168.1.202
nameserver 192.168.1.1
nameserver 2600:1702:1730:5920::1

 

[Patrick M. Hausen]

Well, technically there is an anomaly but it's not in my way. I specified supersede for the domain name and it prepended it instead (preserving attlocal.net at the end). I don't mind much, but would love to understand why that might be.

Sorry, no clue. I just knew this function exists and pushed you in the right direction. You can try to run dhclient manually in debug mode or ask on e.g. the freebsd-net mailing list, if this is important to you.

 

[unseen]

This thread is a perfect example of why I love UNIX. There are always five different ways to solve any problem and you learn something new every day even if you've been using UNIX for 20-odd years.