View Single Post
  #5   (View Single Post)  
Old 21st December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Check the shared libs needed to run 'dig':

Code:
# ldd $(which dig)
/usr/sbin/dig:
        Start    End      Type Open Ref GrpRef Name
        1c000000 3c02e000 exe  1    0   0      /usr/sbin/dig
        0857c000 285b9000 rlib 0    1   0      /usr/lib/libcrypto.so.20.1
        07d3a000 27d68000 rlib 0    1   0      /usr/lib/libc.so.62.0
        0be98000 0be98000 rtld 0    1   0      /usr/libexec/ld.so
You probably will need these shared libs in the chroot.

DNS requests also include a random number to helps the resolver to match the answer with the question and also is meant to prevent somebody spoofing a fake DNS reply (he would have to guess the random ID correctly):

Code:
$ dig www.openbsd.org     

; <<>> DiG 9.4.2-P2 <<>> www.openbsd.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.openbsd.org.               IN      A

;; ANSWER SECTION:
www.openbsd.org.        77653   IN      A       129.128.5.194

;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Sat Dec 22 00:28:07 2012
;; MSG SIZE  rcvd: 49

00:28:07.341373 192.168.222.20.9625 > 192.168.222.10.53: [bad udp cksum 48aa!] 26376+ A? www.openbsd.org. (33) (ttl 64, id 40525, len 61, bad cksum 0! differs by 9ef2)
00:28:07.342385 192.168.222.10.53 > 192.168.222.20.9625: [udp sum ok] 26376 q: A? www.openbsd.org. 1/0/0 www.openbsd.org. A 129.128.5.194 (49) (ttl 64, id 54455, len 77)
.
So it looks like you also need the /dev/*random device nodes.
Code:
ls -l /dev/*random*
crw-r--r--  1 root  wheel   45,   3 Dec 21 21:29 /dev/arandom
crw-r--r--  1 root  wheel   45,   0 Apr  5  2010 /dev/random
crw-r--r--  1 root  wheel   45,   1 Apr  5  2010 /dev/srandom
crw-r--r--  1 root  wheel   45,   2 Dec 21 21:29 /dev/urandom
Although for Linux see http://forum.nginx.org/read.php?3,212362,212362

EDIT: As shown in the following post, it turns out that this is not needed at all.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 23rd December 2012 at 08:46 AM.
Reply With Quote