# DNS problem ezjail



## benben962 (Apr 17, 2015)

Hi all,

I've been trying to set up a jail with ezjail for 4 days now and I don't understand why, I'm unable to connect to the internet with it.

First, I ran `ezjail-admin update -i -p`. Then I ran `ezjail-admin create Prison1 [B]'[I]lo1|127.0.1.1[/I],[I]ale0[/I]|[I]192.168.1.38[/I]'[/B]`; started it with `ezjail-admin start Prison1` and used `cp /etc/resolv.conf /media/Prisons/Prison1/etc` (If you read this thread after my editing, here is where I made a typo by forgetting /etc in the end)

Since I wanted more place for my prisons, I used another disk and changed my jails' root directory from /usr/jails to /media/Prisons (the mountpoint of my secondary disk)

Finally, when I use `jexec 1 dig freebsd.org` it doesn't find the command `dig` so I activated raw sockets and tried using ping :

```
jexec 1 ping freebsd.org
ping: cannot resolve freebsd.org: Host name lookup failure
```

Tried it with several sites... Same result. I don't understand what could be wrong... Can anyone help ? Thank you


----------



## Juanitou (Apr 17, 2015)

benben962 said:


> Finally, when I use  jexec 1 dig freebsd.org it doesn't find the command  dig so I activated raw sockets and tried using ping :


Just a side note: dig(1) is no more in FreeBSD 10, use drill(1).


----------



## benben962 (Apr 17, 2015)

Thank you for the info  Didn't work either ^^'


----------



## SirDice (Apr 17, 2015)

Check if /etc/resolv.conf is correct in the jail and check if the jail can actually communicate with the DNS servers.


----------



## benben962 (Apr 17, 2015)

I checked the resolv.conf and it's the exact same as the host's but the jail can't communicate with the DNS server (drill(1) confirmed what ping(1) told me).


----------



## SirDice (Apr 17, 2015)

benben962 said:


> I checked the resolv.conf and it's the exact same as the host's but the jail can't communicate with the DNS server (drill(1) confirmed what ping(1) told me).


Try pinging the IP addresses of the DNS servers. That should at least work. If you cannot ping the IP address of a DNS server name resolving won't work.


----------



## benben962 (Apr 20, 2015)

Sooooo... I tried drilling my DNS server : 
	
	



```
jexec 1 drill 192.168.0.254
Error: error sending query: No (valid) nameservers defined in the resolver
```

I tried deactivating my firewall... But drilling after the reboot didn't work either, same error message.


----------



## gkontos (Apr 20, 2015)

*Try to verify IP connectivity from within the Jail.

`#ping <Host main IP>`
`#ping <Gateway IP>`
`#ping 8.8.8.8`

Report back with the results


----------



## SirDice (Apr 20, 2015)

benben962 said:


> Sooooo... I tried drilling my DNS server :
> 
> 
> 
> ...


The error says that you don't have a valid DNS server defined in /etc/resolv.conf. Either you have the wrong IP addresses or your jail is unable to connect to them.


----------



## kpa (Apr 20, 2015)

benben962 said:


> Sooooo... I tried drilling my DNS server :
> 
> 
> 
> ...



Post your network configuration when the jail is started, outputs of `ifconfig` and `netstat -nr` (from the host, not from the jail).


----------



## benben962 (Apr 21, 2015)

gkontos said:


> *Try to verify IP connectivity from within the Jail.
> 
> `#ping <Host main IP>` ###Didn't understand these two lines
> `#ping <Gateway IP>` ### Same here
> ...




```
# ping 8.8.8.8
 
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=30.487 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=30.773 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=30.969 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=31.395 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=30.893 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=31.810 ms
```

I did ping with my host machine, I don't know if that's what you meant or if you meant to do it with my jail.



SirDice said:


> The error says that you don't have a valid DNS server defined in /etc/resolv.conf. Either you have the wrong IP addresses or your jail is unable to connect to them.



I checked on my box and its the right IP so I think my jail is unable to connect to it... I don't know how to enable it...



kpa said:


> Post your network configuration when the jail is started, outputs of `ifconfig` and `netstat -nr` (from the host, not from the jail).




```
ifconfig
ale0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=c319a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
   ether 00:26:18:63:34:2d
   inet6 fe80::226:18ff:fe63:342d%ale0 prefixlen 64 scopeid 0x1
   inet 10.1.1.2 netmask 0xffffffff broadcast 10.1.1.2
   inet6 2a01:e34:eecf:d50:226:18ff:fe63:342d prefixlen 64 autoconf
   inet 192.168.0.44 netmask 0xffffff00 broadcast 192.168.0.255
   inet 192.168.0.38 netmask 0xffffffff broadcast 192.168.0.38
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 127.0.1.1 netmask 0xffffffff
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```


```
netstat -nr
Routing tables

Internet:
Destination  Gateway  Flags  Netif Expire
default  192.168.0.254  UGS  ale0
10.1.1.2  link#1  UHS  lo0
10.1.1.2/32  link#1  U  ale0
127.0.0.1  link#2  UH  lo0
127.0.1.1  link#3  UH  lo1
192.168.0.0/24  link#1  U  ale0
192.168.0.38  link#1  UHS  lo0
192.168.0.38/32  link#1  U  ale0
192.168.0.44  link#1  UHS  lo0

Internet6:
Destination  Gateway  Flags  Netif Expire
::/96  ::1  UGRS  lo0
default  fe80::f6ca:e5ff:fe56:5b01%ale0 UG  ale0
::1  link#2  UH  lo0
::ffff:0.0.0.0/96  ::1  UGRS  lo0
2a01:e34:eecf:d50::/64  link#1  U  ale0
2a01:e34:eecf:d50:226:18ff:fe63:342d link#1  UHS  lo0
fe80::/10  ::1  UGRS  lo0
fe80::%ale0/64  link#1  U  ale0
fe80::226:18ff:fe63:342d%ale0  link#1  UHS  lo0
fe80::%lo0/64  link#2  U  lo0
fe80::1%lo0  link#2  UHS  lo0
ff01::%ale0/32  fe80::226:18ff:fe63:342d%ale0 U  ale0
ff01::%lo0/32  ::1  U  lo0
ff02::/16  ::1  UGRS  lo0
ff02::%ale0/32  fe80::226:18ff:fe63:342d%ale0 U  ale0
ff02::%lo0/32  ::1
```


----------



## gkontos (Apr 21, 2015)

benben962 said:


> ```
> # ping 8.8.8.8
> 
> PING 8.8.8.8 (8.8.8.8): 56 data bytes
> ...



Next step:

`drill @8.8.8.8 www.google.com`

If that returns an answer then there is either something wrong in your resolv.conf or the declared DNS servers refuse to answer on non authoritative replies.


----------



## hukadan (Apr 21, 2015)

benben962 said:


> and used  `cp /etc/resolv.conf /media/Prisons/Prison1`


I would expect something like `cp /etc/resolv.conf /media/Prisons/Prison1/etc/` instead. After doing what gkontos asked, could you just log in the jail with `ezjail-admin console Prison1` and once in the jail `cat /etc/resolv.conf`.


----------



## kpa (Apr 21, 2015)

Is the lo1 interface actually needed? You already have the alias IP on ale0 and should be enough for communications. Jails usually don't have or need a lo(4) interface.


----------



## benben962 (Apr 21, 2015)

gkontos said:


> Next step:
> 
> `drill @8.8.8.8 www.google.com`
> 
> If that returns an answer then there is either something wrong in your resolv.conf or the declared DNS servers refuse to answer on non authoritative replies.




```
# drill @8.8.8.8 www.google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40212
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.google.com.   IN   A

;; ANSWER SECTION:
www.google.com.   154   IN   A   216.58.211.68

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 37 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Apr 21 19:04:13 2015
;; MSG SIZE  rcvd: 48
```



hukadan said:


> I would expect something like `cp /etc/resolv.conf /media/Prisons/Prison1/etc/` instead. After doing what gkontos asked, could you just log in the jail with `ezjail-admin console Prison1` and once in the jail `cat /etc/resolv.conf`.



I forgot to put /etc in my previous post but I did copy to Prison1/etc (^_^')

However : 
	
	



```
# cat /etc/resolv.conf

# Generated by resolvconf
nameserver 192.168.0.254
nameserver 2a01:e00::2
nameserver 2a01:e00::1
```



kpa said:


> Is the lo1 interface actually needed? You already have the alias IP on ale0 and should be enough for communications. Jails usually don't have or need a lo(4) interface.



I didn't know... I'm going to delete it then


----------



## benben962 (May 7, 2015)

So... No one knows ? Too bad... Then I guess I will do what I have to do on the host...


----------

