# DNSMasq server in jail, DNS works, DHCP doesn't



## Tabs (Aug 13, 2015)

Hi All,

I'm migrating my home systems from CentOS to FreeBSD, so far it's been a great fun and successful, I used to work on Solaris a lot and going back to a UNIX-like OS from linux has been a very nice experience.

Anyway, I've hit the first barrier and was hoping you kind people could help.

I'm trying to run DNSMasq inside a jail, the current situation is thus:

- I have created the jail and an alias off my bge1 interface
- I have allowed the jail access to raw sockets
- I have allowed the jail access to the bpf device

From my jail I can `ping` my network fine, the internet fine, everything seems dandy.

I start up dnsmasq making sure to exclude the non-existant loopback interface and bind to my address on interface bge1, it reports no errors (in fact, it doesn't log anything to /var/messages except errors which doesn't help).

I can use it as a DNS server just fine for local and remote requests, but DCHP is dead.

If I do a `tcpdump` and look for UDP traffic on ports 67 and 68 on the jail I can see the DHCP requests are coming in, but it's like the DHCP server isn't able to respond.

Does anyone have any suggestions for me?

Thanks!


----------



## jem (Aug 13, 2015)

Have you enabled the dhcp-authoritative option in dnsmasq?


----------



## Tabs (Aug 13, 2015)

Hi,

Thanks for the reply 

Yes - already set that, it's authoritative and definitely the only DHCP server on the network.

Here's my configuration for dnsmasq:

```
domain-needed
dhcp-authoritative
bogus-priv
domain=core.net
expand-hosts
local=/core.net/
interface=bge1
listen-address=192.168.0.105
bind-interfaces
no-resolv
dhcp-range=lan,192.168.0.2,192.168.0.99
dhcp-option=lan,1,255.255.255.0
dhcp-option=lan,3,192.168.0.1
dhcp-option=lon,6,192.168.0.105,192.168.0.106
dhcp-option=lan,28,192.168.0.255
server=8.8.8.8
server=8.8.4.4
log-queries
log-dhcp
```
With `tcpdump` I can see devices trying to get a DHCP lease (like my Airport Express!):

```
14:00:02.381257 28:37:37:4c:7e:b8 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 349: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 335)
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 28:37:37:4c:7e:b8 (oui Unknown), length 307, xid 0x3c20a163, secs 23, Flags [none] (0x0000)
Client-Ethernet-Address 28:37:37:4c:7e:b8 (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Lease-Time Option 51, length 4: 86400
Requested-IP Option 50, length 4: 192.168.0.6
Hostname Option 12, length 27: "airport-express-living-room"
Parameter-Request Option 55, length 7:
Subnet-Mask, Time-Zone, Default-Gateway, Domain-Name
Domain-Name-Server, Hostname, Netbios-Name-Server
MSZ Option 57, length 2: 1500
Client-ID Option 61, length 7: ether 28:37:37:4c:7e:b8
```
Output of `ifconfig`:

```
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether ac:87:a3:38:a7:66
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 3c:07:54:03:57:f0
inet 192.168.0.105 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
```
One thing I have just noticed is that despite setting my timzone correctly my *BSD systems all seem to be a hour behind, seems like a long shot but I wonder if that could have anything to do with it?

I'll try and fix it and find out.


----------



## jem (Aug 13, 2015)

A quick google suggests that "DHCP is a time sensitive protocol and clock skew can cause problems" so that might be your problem.


----------



## Tabs (Aug 13, 2015)

Thanks - I'm going to look into it when I get home, I had a quick look earlier and ran tzsetup(8) again, it's set to Europe > United Kingdom but I see no way of setting daylight saving time.. It seems like such a trivial thing but I can't work out how to do it in FreeBSD


----------



## Tabs (Aug 13, 2015)

Tried tzsetup(8) and copying /usr/share/zoneinfo/Europe/London to /etc/localtime to no avail.

Tried doing it the old fashioned way with the date command as root in my jail and got "date: settimeofday (timeval): Operation not permitted"

Must be missing something obvious..


----------



## kpa (Aug 13, 2015)

You can't set the date and time in a jail, that is forbidden for jails for quite obvious security reasons. Do it in the host system after making sure you've set the right timezone and you've set the hw clock to be in UTC in the tzsetup(8) dialog. For example:

`# ntpdate -u pool.ntp.org`


----------



## storvi_net (Aug 13, 2015)

I tried to find a solution for several days and I gave up.

I had exactly the same problem - DNS works just fine while DHCP does not.
I ended up in using the host for DHCP and the jail for DNS.

Regards
Markus

But: If you find a solution I will try it


----------



## kpa (Aug 13, 2015)

There's probably something about jails that interfere with the UDP broadcasts that DHCP uses. What is it I don't know.


----------



## storvi_net (Aug 13, 2015)

I sniffed everything and from the network side it should have worked. 
But: The response never left the jail...


----------



## Tabs (Aug 13, 2015)

Sad to report the same situation as storvi_net 

Time looks good now, can see all my DHCP devices polling it.. Nothing leaves the the jail though.


----------



## Tabs (Aug 13, 2015)

`netstat -s -p udp` seems to confirm this:

```
611689 datagrams received
606907 broadcast/multicast datagrams undelivered
```


----------



## wblock@ (Aug 14, 2015)

I have DNS and DHCP in a jail.  But I use BIND and isc-dhcp.  The setup is the same as that in the Handbook: https://www.freebsd.org/doc/en_US.I...k/jails-ezjail.html#jails-ezjail-example-bind.


----------



## Tabs (Aug 14, 2015)

Hmmm I tried adding in a loopback interface and recreating the jail, the loopback works fine but now my normal interface is shot and I get:

```
PING 192.168.0.1 (192.168.0.1): 56 data bytes
ping: sendto: Can't assign requested address
```


----------



## Tabs (Aug 14, 2015)

Just a update for anyone who stumbles across this on Google. Don't waste your time with dnsmasq - bind and isc-dhcp work just fine in jails 

kpa has a good post on using isc-dhcpd to update bind as well  https://forums.freebsd.org/threads/dynamic-dns-with-bind-and-isc-dhcp-server.33849/


----------



## wblock@ (Aug 15, 2015)

I'm sure dns/dnsmasq can be made to work.  Does this help any?


----------



## Tabs (Aug 20, 2015)

Quick update.. Stating the obvious really but the same jail is now working great with VIMAGE.

It would be good to get it working without needing it though, I'm sure someone smarter than me can figure it out .


----------

