Solved iocage jail IPv6 DNS doesn't work

[dch]

I'm new to IPv6 networking and trying to set up jails using sysutils/iocage-devel on FreeBSD 10.2R amd64 in Hetzner, who charge for every extra IPv4 but give you an IPv6/64 free with every root server.

I've got DNS lookups working over UDP from the jail to the host successfully drill -u -6 google.com AAAA but it fails over TCP - notably drill -t -6 google.com AAAA fails, as does ssh, which fails to retrieve DNS records.

However if I add an external IPv6 resolver such as `2a01:4f8:0:a0a1::add:1010` inside Hetzner's network, then all is good - I can curl -6 [URL]https://www.google.de/[/URL] > /dev/null for example and life is good.

Any idea what I am missing? configs follow.

# host config

# /etc/rc.conf abbreviated
local_unbound_enable="YES"
gateway_if="em0"
defaultrouter="144.76.138.193"
ifconfig_em0="inet 144.76.138.208 netmask 255.255.255.224 mtu 1400"
ipv6_activate_all_interfaces="YES"
ipv6_defaultrouter="fe80::1%$gateway_if"
ifconfig_em0_ipv6="inet6 2a01:4f8:200:12cf::2 prefixlen 64"
iocage_enable="YES"


# cat /etc/resolv.conf
search skunkwerks.at
nameserver 127.0.0.1
nameserver ::1
options edns0


# cat /etc/unbound/conf.d/secure.conf
server:
  access-control: 127.0.0.0/8 allow
  access-control: ::1/8 allow
  access-control: 0.0.0.0/0 refuse
  access-control: 127.0.0.0/8 allow

# ifconfig

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0mtu 1400
  options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,
  VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
  ether 74:d0:2b:9a:84:d5
  inet 144.76.138.208 netmask 0xffffffe0 broadcast 144.76.138.223
  inet6 fe80::76d0:2bff:fe9a:84d5%em0 prefixlen 64 scopeid 0x1
  inet6 2a01:4f8:200:12cf::2 prefixlen 64
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

# netstat -nr
Routing tables
Internet:
Destination  Gateway  Flags  Netif Expire
default  144.76.138.193  UGS  em0
127.0.0.1  link#2  UH  lo0
144.76.138.192/27  link#1  U  em0
144.76.138.208  link#1  UHS  lo0
Internet6:
Destination  Gateway  Flags  Netif Expire
::/96  ::1  UGRS  lo0
default  fe80::1%em0  UGS  em0
::1  link#2  UH  lo0
::ffff:0.0.0.0/96  ::1  UGRS  lo0
2a01:4f8:200:12cf::/64  link#1  U  em0
2a01:4f8:200:12cf::2  link#1  UHS  lo0
fe80::/10  ::1  UGRS  lo0
fe80::%em0/64  link#1  U  em0
fe80::76d0:2bff:fe9a:84d5%em0  link#1  UHS  lo0
fe80::%lo0/64  link#2  U  lo0
fe80::1%lo0  link#2  UHS  lo0
ff01::%em0/32  fe80::76d0:2bff:fe9a:84d5%em0 U  em0
ff01::%lo0/32  ::1  U  lo0
ff02::/16  ::1  UGRS  lo0
ff02::%em0/32  fe80::76d0:2bff:fe9a:84d5%em0 U  em0
ff02::%lo0/32  ::1  U  lo0

and iocage setup

# IOCage

```sh
# disable non-admins from seeing dmesg
sysctl security.bsd.unprivileged_read_msgbuf=0
echo security.bsd.unprivileged_read_msgbuf=0 >> /etc/sysctl.conf
# ensure IPv6 works on jail hard startup
sysctl net.inet6.ip6.dad_count=0
echo net.inet6.ip6.dad_count=0 >> /etc/sysctl.conf
# useful bits
pkg install -y iocage-devel sysrc
sysrc iocage_enable=YES
export RELEASE=10.2-RELEASE
export BASE=base-$RELEASE
iocage fetch release=$RELEASE \
  ftphost=ftp.de.freebsd.org \
  ftpfiles="base.txz doc.txz src.txz"
```

## Template

```sh
iocage set boot=on default
iocage set vnet=off default
iocage set ip4=disable default
iocage set ip4_addr=none default
iocage set defaultrouter6='fe80::1%em0' default
iocage set resolver="nameserver ::1;options edns0" default
echo tmux  > packages.lst
echo sysrc  >> packages.lst
echo pkg  >> packages.lst
echo python27  >> packages.lst
echo rsync  >> packages.lst

iocage create release=$RELEASE pkglist=packages.lst tag=$BASE

iocage chroot $BASE /bin/sh
# customise package repo
mkdir -p -m 0700 /usr/local/etc/pkg/repos/
echo 'FreeBSD: {enabled: yes}' > /usr/local/etc/pkg/repos/freebsd.conf
echo 'skunkwerks: {url: http://pkg.skunkwerks.at/${ABI} }' > /usr/local/etc/pkg/repos/skunkwerks.conf
exit

iocage set notes=$RELEASE-`date -u +%Y%m%d-%H%M` $BASE
iocage set template=yes $BASE

iocage stop rabbit; iocage destroy -f rabbit
iocage clone -b $BASE \
  tag=rabbit \
  hostname=rabbit.skunkwerks.at \
  priority=10 \
  boot=on \
  defaultrouter6='fe80::1%em0' \
  ip4_addr=127.0.0.7 \
  ip6_addr='em0|2a01:4f8:200:12cf:0:0:0:7/64,lo0|::7/8'
iocage start rabbit && iocage console rabbit
```

resulting jail:

root@116a1ef1-44ed-11e5-a4b3-74d02b9a84d5:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1400
  options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
  ether 74:d0:2b:9a:84:d5
  inet6 2a01:4f8:200:12cf::7 prefixlen 64
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::7 prefixlen 8
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   
root@116a1ef1-44ed-11e5-a4b3-74d02b9a84d5:~ # netstat -nr
root@116a1ef1-44ed-11e5-a4b3-74d02b9a84d5:~ # netstat -nr
Routing tables

Internet6:
Destination  Gateway  Flags  Netif Expire
::7  link#2  UHS  lo0
2a01:4f8:200:12cf::7  link#1  UHS  lo0


root@116a1ef1-44ed-11e5-a4b3-74d 2b9a84d5:~ # netstat -nr
Routing tables

Internet6:
Destination  Gateway  Flags  Netif Expire
::7  link#2  UHS  lo0
2a01:4f8:200:12cf::7  link#1  UHS  lo0


root@116a1ef1-44ed-11e5-a4b3-74d02b9a84d5:~ # cat /etc/resolv.conf
nameserver ::1
options edns0


root@116a1ef1-44ed-11e5-a4b3-74d02b9a84d5:~ # cat /etc/rc.conf
hostname="116a1ef1-44ed-11e5-a4b3-74d02b9a84d5"

cron_flags=" -J 15"

# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# Run secure syslog
syslogd_flags="-c -ss"
# Enable IPv6
ipv6_activate_all_interfaces="YES"

 

[tolbrino]

Were you able to resolve this issue?

I'm running into the same issue, although even UDP doesn't work. I suspect it has to do with my pf(4) setup on the host, but didn't find the reason yet.

 

[dch]

no sorry. I don't use pf on this system so it presumably is something else.

 

[dch]

I finally located the source of this issue -- as soon as I used net/ngrep I could see that the outgoing packet "travels" on the em0 interface, and is therefore blocked by dns/unbound immediately. The solution, at least for me, was to remove the em0 interface completely, and use PF NAT to allow access back to the network. I believe it would be sufficient to change the order of assigned network devices in iocage setup, thus:

ip6_addr='lo0|::7/8,em0|2a01:4f8:200:12cf:0:0:0:7/64'