# Can jail hostnames clash with DNS CNAME records?



## fonz (Apr 28, 2013)

_Short version:_

Can a jail be given a hostname equal to a DNS CNAME entry pointing to the host?

_Long version:_

Imagine you have a machine (say somehost.example.net) that provides one or more services to the outside world (just for kicks, let's say NTP and Gopher) and that you therefore have the following entries in the DNS records for your domain:

```
ntp IN CNAME somehost
gopher IN CNAME somehost
```
Now, if you wish to run these services in jails (with IPv4 addresses in the 192.168.0.0/16 range and the host running a firewall to connect the jails to the outside world), can the jails be given the hostnames ntp.example.net and gopher.example.net, or will that cause conflicts with the CNAME records in your DNS, which after all point to somehost.example.net?


----------



## Savagedlight (Apr 29, 2013)

The external world needs to know the public IP of these machines, while your jail host should know the private IPs of these. I think it'll be cleaner to assign something like ntp.jail.example.net as the jail hostname, as this will make a clear distinction between the two.


----------



## fonz (Apr 29, 2013)

Savagedlight said:
			
		

> I think it'll be cleaner to assign something like ntp.jail.example.net as the jail hostname, as this will make a clear distinction between the two.


That's what I currently do. I was just wondering whether the above was possible, but I'm not near a machine where I can test it, which is why I'm asking.


----------



## kpa (Apr 29, 2013)

You always have to think about how does the outside world see the DNS names and how does the host system and jail(s) see the them internally. It's very much the same question if you have client machines behind a NAT point with private RFC1918 addresses and you want to use publicly visible DNS names for those client machines all around. On the outside everything should resolve to the external address of the NAT point but internally the DNS resolution should give local addresses. In BIND for example this "split DNS" is done with the "view" feature.

http://www.zytrax.com/books/dns/ch7/view.html


----------



## fbsd1 (Jun 9, 2013)

The jail name has nothing to do with the host DNS environment. It's just a human readable handle used internally by the jail. So yes you can use the same name in both the DNS CNAME record and the jail name.


----------



## fonz (Jun 9, 2013)

fbsd1 said:
			
		

> The jail name has nothing to do with the host DNS environment. It's just a human readable handle used internally by the jail.


Mind you: I did say jail *host*name, which is not the same as the jail name.


----------



## SirDice (Jun 10, 2013)

It shouldn't cause any problems but be aware that other hosts will resolve the name to the IP address of the host. Other hosts may inadvertently connect to the host instead of the jail. This may not be what you expected.


----------



## fonz (Jun 10, 2013)

SirDice said:
			
		

> be aware that other hosts will resolve the name to the IP address of the host. Other hosts may inadvertently connect to the host instead of the jail. This may not be what you expected.


In this particular case it actually _is_ what I'd expect: the jails are service jails and the host runs a NAT. So the outside world connects to the host and gets forwarded to a jail that for all intents and purposes appears to be a separate machine.


----------

