Domain lookup issue from within network namespace

2

2

I need to bind one program to the wlan1 interface, all other programs by default should use wlan0.

For this reason I configured dedicated network namespace: 

ip netns add wlan1_ns
ip link add vwlan1a type veth peer name vwlan1b
ip link set vwlan1a netns wlan1_ns
ip addr add 10.200.1.1/24 dev vwlan1b
ip link set vwlan1b up
ip netns exec wlan1_ns ip addr add 10.200.1.2/24 dev vwlan1a
ip netns exec wlan1_ns ip link set vwlan1a up
ip netns exec wlan1_ns ip link set lo up
ip netns exec wlan1_ns ip route add default via 10.200.1.1
iptables -t nat -A POSTROUTING -s 10.200.1.0/255.255.255.0 -o wlan1 -j MASQUERADE
iptables -A FORWARD -i wlan1 -o vwlan1b -j ACCEPT
iptables -A FORWARD -o wlan1 -i vwlan1b -j ACCEPT

After doing this I expect that domain names resolving will work in my new namespace, but apparently it is not, why?:

$ sudo ip netns exec wlan1_ns ping -v google.com
ping: socket: Permission denied, attempting raw socket...
ping: socket: Permission denied, attempting raw socket...
ping: google.com: Temporary failure in name resolution

... while in root namespace host resolving works fine (wlan1 is not connected to Internet, thus packet loss, but do not bother about that):

# ping google.com
PING google.com (216.58.212.238) 56(84) bytes of data.
^C
--- google.com ping statistics ---
122 packets transmitted, 0 received, 100% packet loss, time 125718ms

When I use ping/curl with IP instead of domain name than requests go out correctly. I have run out of ideas why resolving does not work. I am doing this in RaspberryPi 3, Raspbian, kernel 4.9. Please find below what I have already investigated.

nsswitch.conf file:

$ cat /etc/nsswitch.conf | grep host
hosts:          files mdns4_minimal [NOTFOUND=return] dns

resolvconf responses for root namespace:

$ resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 127.0.0.1

# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED DNS IP>>
nameserver <<ANONYMIZED DNS IP>>

resolvconf in my namespace:

$ ip netns exec wlan1_ns resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 127.0.0.1

# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED DNS IP>>
nameserver <<ANONYMIZED DNS IP>>

iptables in root namespace

$ sudo iptables -v --list
Chain INPUT (policy ACCEPT 641 packets, 63289 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 171 packets, 90385 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  wlan1  vwlan1b  anywhere             anywhere
   32  1816 ACCEPT     all  --  vwlan1b wlan1   anywhere             anywhere

Chain OUTPUT (policy ACCEPT 802 packets, 91050 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables in my namespace:

$ sudo ip netns exec wlan1_ns iptables -v --list
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

EDIT - tried solution suggested in answer below, without result

Configured resolvconf to point the reachable dnsmasq IP:

pi@raspberrypi:~ $ sudo sh -c "echo nameserver 172.24.1.1 | resolvconf -a lo.dnsmasq"
Too few arguments.
Too few arguments.
pi@raspberrypi:~ $ resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 172.24.1.1

# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED _IP>>
nameserver <<ANONYMIZED _IP>>

To prove IP is reachable, dig correctly resolves domainname:

pi@raspberrypi:~ $ sudo sh -c "ip netns exec wlan1_ns dig +short @172.24.1.1 google.com"
172.217.17.142

... while ping still has problems:

pi@raspberrypi:~ $ sudo sh -c "ip netns exec wlan1_ns ping -v google.com"
ping: socket: Permission denied, attempting raw socket...
ping: socket: Permission denied, attempting raw socket...
ping: google.com: Temporary failure in name resolution

Paweł Gutowski

Posted 2017-09-22T13:18:31.403

Reputation: 51

Thank you @dzida for adding bounty. The only given answer until now did not solve the issue. Even if suggestion was good - so big thanks for the effort. Bounty is still waiting. – Paweł Gutowski – 2017-09-26T09:22:43.993

The problem with network namespaces is that the C library DNS resolution can't really distinguish between them. If you read man ip-netns, it tells you that there are namespace-specific resolver configurations, but not all applications work with them. So depending on what applications you need to run, you may need an additional mount namespace to have two /etc/resolv.conf for each namespace, which you can configure properly. And of course DNS resolution from the wlan1 namespace must go to a dnsmasq running in wlan0 accessible in wlan1. – dirkt – 2019-05-19T06:53:23.830

Answers

1

Network namespace also isolates the loopback interface, on which you seem to run dnsmasq as your resolver. This is why your namespace fails to resolve domain names. If your namespace is connected to Internet, you can easily test this by changing the nameserver in resolv.conf to one which you can reach from the namespace, such as Google Public DNS.

To use dnsmasq as your resolver, you need to configure it to listen on address which can be reached from the namespace and change resolv.conf accordingly.

sebasth

Posted 2017-09-22T13:18:31.403

Reputation: 670

'wlan1' is not connected to the Internet, so I cannot check connection from namespace to the public DNS. IPs listed in 'resolvconf' are reachable from namespace (ping works). Could you provide more details on suggested dnsmasq reconfiguration? – Paweł Gutowski – 2017-09-24T19:41:48.957

If you have alternative nameserver which you can reach from the namespace (test with ping), you could test with it in same way. – sebasth – 2017-09-24T19:44:31.047

thanks for your suggestion, I tried it (please have a look into EDIT of original post). Unfortunately, problem still exist. Help still appreciated... – Paweł Gutowski – 2017-09-26T07:28:21.857

-1

Maybe because you create an new network namespace, the new namespace use the /etc/resolv.conf config.

Your config use nameserver 127.0.0.1 which can not use in new namespace.

You can create the file

/etc/netns/namespace-name/resolv.conf

, and put a good dos server in it, just like

nameserver 8.8.8.8

Now your namespace use the right dns server, maybe solve this problem.

see this link.

XY WANG

Posted 2017-09-22T13:18:31.403

Reputation: 1

Asked: 2017-09-22T13:18:31.403

Viewed: 1 195 times

Active: 2019-05-19T03:06:48.660