Check the shared libs needed to run 'dig':
Code:
# ldd $(which dig)
/usr/sbin/dig:
Start End Type Open Ref GrpRef Name
1c000000 3c02e000 exe 1 0 0 /usr/sbin/dig
0857c000 285b9000 rlib 0 1 0 /usr/lib/libcrypto.so.20.1
07d3a000 27d68000 rlib 0 1 0 /usr/lib/libc.so.62.0
0be98000 0be98000 rtld 0 1 0 /usr/libexec/ld.so
You probably will need these shared libs in the chroot.
DNS requests also include a random number to helps the resolver to match the answer with the question and also is meant to prevent somebody spoofing a fake DNS reply (he would have to guess the random ID correctly):
Code:
$ dig www.openbsd.org
; <<>> DiG 9.4.2-P2 <<>> www.openbsd.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.openbsd.org. IN A
;; ANSWER SECTION:
www.openbsd.org. 77653 IN A 129.128.5.194
;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Sat Dec 22 00:28:07 2012
;; MSG SIZE rcvd: 49
00:28:07.341373 192.168.222.20.9625 > 192.168.222.10.53: [bad udp cksum 48aa!] 26376+ A? www.openbsd.org. (33) (ttl 64, id 40525, len 61, bad cksum 0! differs by 9ef2)
00:28:07.342385 192.168.222.10.53 > 192.168.222.20.9625: [udp sum ok] 26376 q: A? www.openbsd.org. 1/0/0 www.openbsd.org. A 129.128.5.194 (49) (ttl 64, id 54455, len 77)
.
So it looks like you also need the
/dev/*random device nodes.
Code:
ls -l /dev/*random*
crw-r--r-- 1 root wheel 45, 3 Dec 21 21:29 /dev/arandom
crw-r--r-- 1 root wheel 45, 0 Apr 5 2010 /dev/random
crw-r--r-- 1 root wheel 45, 1 Apr 5 2010 /dev/srandom
crw-r--r-- 1 root wheel 45, 2 Dec 21 21:29 /dev/urandom
Although for Linux see
http://forum.nginx.org/read.php?3,212362,212362
EDIT:
As shown in the following post, it turns out that this is not needed at all.