DNS lookup to localhost gives network error

Question

I am running a recursive DNS server on Unbound in a jail on FreeBSD with pf as a firewall. Running drill @xxx.xxx.xxx.xxx example.com (where xxx.xxx.xxx.xxx is the servers IP) on my local machine yields me with a successful lookup.

However, if I try the same on the server itself, both in the jail and host...

# drill @localhost example.com
Error: error sending query: Could not send or receive, because of network error
# drill @xxx.xxx.xxx.xxx example.com
Error: error sending query: Could not send or receive, because of network error
# drill @127.0.0.1 example.com
Error: error sending query: Could not send or receive, because of network error
# drill @10.0.0.1 example.com
Error: error sending query: Could not send or receive, because of network error

I have pass quick on lo0 all in my pf.conf

Here's my relevant ifconfig:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 10.0.0.1 netmask 0xffffff00
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

The DNS jail is running under 10.0.0.1

A couple of thoughts from my side: Unbound is quite surely configured right. The interface is already 0.0.0.0 and I have access-control rules for 10.0.0.0/16 and 127.0.0.0/8 (and my local machine's IP, of course). Additionally, trying to drill would yield a simple "refused" if anything there was faulty. So I think it has something to do with pf? I'm probably missing something small and obvious, but I can't figure out what.

What I'd like to achieve would be a successful # drill @localhost example.com on the server so I can replace my resolv.conf nameservers with 127.0.0.1

Edit: I've done some testing with netcat, doing # nc -4 -vv localhost 53 gives me a timeout. Using udp as a protocol with # nc -4 -w 10 -vv -u localhost 53 however, does not. Running # pfctl -vnf /etc/pf.conf, here's the two redirects to the jail:

rdr pass on vtnet0 inet proto udp from any to any port = domain -> 10.0.0.1 port 53
rdr pass on vtnet0 inet proto tcp from any to any port = domain -> 10.0.0.1 port 53

Yes. I've tried 10.0.0.1, 127.0.0.1, localhost and xxx.xxx.xxx.xxx on both jail and host. — Draon con Color, Feb 07 '16 at 13:45

score 2 · Accepted Answer · answered Feb 07 '16 at 15:13

2

After some more testing the pf rules, I briefly let all traffic pass and realized the mistake was that while I had pass quick on lo0 all in the pf.conf, the jail is running under lo1.

I added pass quick on lo1 all and it works now.

Also note that from within a jail, you should query the jail IP instead of localhost. So, in the jails resolv.conf:

nameserver 10.0.0.1

answered Feb 07 '16 at 15:13

Draon con Color

29
1
4

1

It's better to use `set skip on lo0`, since you do not filtering on `lo0` at all. – drookie Feb 07 '16 at 15:54

DNS lookup to localhost gives network error

1 Answers1