How can I get DNS resolution to work inside a Mac OS X `chroot` on El Capitan?SQL Client for Mac OS X that works with MS SQL ServerHow can I Remove .DS_Store files from a Git repository?How to run a shell script on a Unix console or Mac terminal?How can I get the behavior of GNU's readlink -f on a Mac?How to start PostgreSQL server on Mac OS X?How to completely uninstall Android Studio on Mac?How to install Java 8 on MacCommand Line Tools not working - OS X El Capitan, Sierra, High Sierra, MojaveHow to find CName/canonical name using DNS in swift 4mount_smbfs fails to connect

D Scale Question

How would a disabled person earn their living in a medieval-type town?

How could reincarnation magic be limited to prevent overuse?

Is it good practice to speed up and slow down where not written in a song?

About the supremum and the infimum

Blogging in LaTeX

Why don't "echo -e" commands seem to produce the right output?

Squares inside a square

Why didn't Thatcher give Hong Kong to Taiwan?

Does the telecom provider need physical access to the SIM card to clone it?

Is Borg adaptation only temporary?

How can I improve my formal definitions?

How can I portray a character with no fear of death, without them sounding utterly bored?

Do universities maintain secret textbooks?

Colored grid with coordinates on all sides?

Am I required to correct my opponent's assumptions about my morph creatures?

Given a specific computer system, is it possible to estimate the actual precise run time of a piece of Assembly code

German equivalent to "going down the rabbit hole"

Should we run PBKDF2 for every plaintext to be protected or should we run PBKDF2 only once?

How can an F-22 Raptor reach supersonic speeds without having supersonic inlets?

Why do modes sound so different, although they are basically the same as a mode of another scale?

Ways you can end up paying interest on a credit card if you pay the full amount back in due time

Datasets of Large Molecules

What is the maximal acceptable delay between pilot's input and flight control surface actuation?



How can I get DNS resolution to work inside a Mac OS X `chroot` on El Capitan?


SQL Client for Mac OS X that works with MS SQL ServerHow can I Remove .DS_Store files from a Git repository?How to run a shell script on a Unix console or Mac terminal?How can I get the behavior of GNU's readlink -f on a Mac?How to start PostgreSQL server on Mac OS X?How to completely uninstall Android Studio on Mac?How to install Java 8 on MacCommand Line Tools not working - OS X El Capitan, Sierra, High Sierra, MojaveHow to find CName/canonical name using DNS in swift 4mount_smbfs fails to connect






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








12















I'm trying to create a chroot to run a program that needs internet access to build myself a sandboxed, immutable developer environment. So far my jail is working well: I can run bash inside it and run simple programs from there! DNS resolution doesn't work however:



bash-3.2$ curl google.ca
curl: (6) Could not resolve host: google.ca


I am almost positive this is because the inner process is unable to connect to the mDNSResponder daemon running outside the jail. Outside the jail there is an mDNSResponder socket for the whole system to use:



host ➜ ls -lA /var/run/mDNSResponder
srw-rw-rw- 1 root daemon 0 22 Oct 10:41 /var/run/mDNSResponder


But, inside the jail there is not. So, I tried to use socat to create a unix socket "proxy" from inside the jail to outside it: I run socat (command below) to create a socket inside my jail, and then inside the jail run curl again, but curl still gives the same error message. I see this in syslog after turning on the verbose logging of mDNSResponder with SIGUSR1:



2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.844 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:32.349 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:32.350 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:32.351 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: Removing FD


which looks to me like curl via dnssd_clientstub is trying three times to resolve the name. Here's the socat log while the jailed process was trying to connect:



host ~/C/jail (master*) ➜
sudo socat -v -d -d UNIX-LISTEN:/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder,mode=666,fork,user=root,group=daemon UNIX-CLIENT:/private/var/run/mDNSResponder
Password:
2015/10/26 18:16:03 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N accepting connection from LEN=16 AF=1 "" on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N forked off child process 24341
2015/10/26 18:16:07 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N opening connection to LEN=32 AF=1 "/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N successfully connected from local address LEN=16 AF=1 ""
2015/10/26 18:16:07 socat[24341] N starting data transfer loop with FDs [6,6] and [5,5]
> 2015/10/26 18:16:07.081847 length=28 from=0 to=27
............................< 2015/10/26 18:16:07.082019 length=4 from=0 to=3
....> 2015/10/26 18:16:07.082167 length=50 from=28 to=77
...............b...............P.....google.ca....> 2015/10/26 18:16:07.082287 length=1 from=78 to=78
.2015/10/26 18:16:07 socat[24341] N socket 2 (fd 5) is at EOF
2015/10/26 18:16:07 socat[24341] N exiting with status 0
2015/10/26 18:16:07 socat[24334] N childdied(): handling signal 20


For comparison, here's what a successful lookup looks like when I run it from the host:



2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 501
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23190](curl)
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000001
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., Addr) START PID[23190]()
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000001 (0)
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.251
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.249
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.227
*snip*
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000002
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., AAAA) START PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000002 (0)
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) ADD 16 google.ca. AAAA 2607:F8B0:400B:080A:0000:0000:0000:100F
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000001
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) STOP PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000002
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) STOP PID[23190]()
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23190](curl)
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: Removing FD


The major differences I notice between the failure and the success are that the uid is 0 for the request inside the jail and 501 for the request outside it. Curious, but that doesn't seem to be where the request actually fails.



The error message that comes from mDNSResponder seems to be concerning getting the errsd from the incoming request across the socket. https://github.com/jevinskie/mDNSResponder/blob/2942dde61f920fbbf96ff9a3840567ebbe7cb1b6/mDNSShared/uds_daemon.c#L3660



At this point it seems to me like mDNSResponder expects its clients to pass it a pair of fd's across the socket to respond to the client with, which I am not sure is even possible to do from inside the chroot. I am a very poor C programmer so I could be wrong about that, but if that is the truth, is it even possible to do this, and is there a better path to getting DNS to work inside the chroot?



Other tidbits:



  • You can configure mDNSResponder to listen on more than one socket in it's launchd plist file, but that file is now protected by System Integrity Protection, which I don't want to disable to get this to work. It's janky, and easy to fall out of sync with the jail filesystems I am often changing on the hosts, which breaks DNS for every process if it can't create one of the sockets because the file doesn't exist. Running a proxy seems much more resilient


  • ping dies instantly in the jail, which is why I am using curl. It gets a Killed: 9 message on the console instantly.



  • I am getting some other files into the chroot using a bind mount, but I can't get that to work for the mDNSResponder socket. I use http://bindfs.org (since OS X doesn't support Linux' mount --bind) to mount in /var/run to the chroot, but this comes up in the logs when trying to connect:



    2015-10-26 6:39:40.833 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
    2015-10-26 6:39:41.837 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
    2015-10-26 6:39:42.843 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
    2015-10-26 6:39:43.848 PM curl[25002]: dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:4 Err:-1 Errno:61 Connection refused






macos sockets chroot







share|improve this question


























  • Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

    – hornairs
    Oct 26 '15 at 23:51


















12















I'm trying to create a chroot to run a program that needs internet access to build myself a sandboxed, immutable developer environment. So far my jail is working well: I can run bash inside it and run simple programs from there! DNS resolution doesn't work however:



bash-3.2$ curl google.ca
curl: (6) Could not resolve host: google.ca


I am almost positive this is because the inner process is unable to connect to the mDNSResponder daemon running outside the jail. Outside the jail there is an mDNSResponder socket for the whole system to use:



host ➜ ls -lA /var/run/mDNSResponder
srw-rw-rw- 1 root daemon 0 22 Oct 10:41 /var/run/mDNSResponder


But, inside the jail there is not. So, I tried to use socat to create a unix socket "proxy" from inside the jail to outside it: I run socat (command below) to create a socket inside my jail, and then inside the jail run curl again, but curl still gives the same error message. I see this in syslog after turning on the verbose logging of mDNSResponder with SIGUSR1:



2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.844 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:32.349 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:32.350 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:32.351 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: Removing FD


which looks to me like curl via dnssd_clientstub is trying three times to resolve the name. Here's the socat log while the jailed process was trying to connect:



host ~/C/jail (master*) ➜
sudo socat -v -d -d UNIX-LISTEN:/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder,mode=666,fork,user=root,group=daemon UNIX-CLIENT:/private/var/run/mDNSResponder
Password:
2015/10/26 18:16:03 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N accepting connection from LEN=16 AF=1 "" on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N forked off child process 24341
2015/10/26 18:16:07 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N opening connection to LEN=32 AF=1 "/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N successfully connected from local address LEN=16 AF=1 ""
2015/10/26 18:16:07 socat[24341] N starting data transfer loop with FDs [6,6] and [5,5]
> 2015/10/26 18:16:07.081847 length=28 from=0 to=27
............................< 2015/10/26 18:16:07.082019 length=4 from=0 to=3
....> 2015/10/26 18:16:07.082167 length=50 from=28 to=77
...............b...............P.....google.ca....> 2015/10/26 18:16:07.082287 length=1 from=78 to=78
.2015/10/26 18:16:07 socat[24341] N socket 2 (fd 5) is at EOF
2015/10/26 18:16:07 socat[24341] N exiting with status 0
2015/10/26 18:16:07 socat[24334] N childdied(): handling signal 20


For comparison, here's what a successful lookup looks like when I run it from the host:



2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 501
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23190](curl)
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000001
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., Addr) START PID[23190]()
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000001 (0)
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.251
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.249
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.227
*snip*
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000002
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., AAAA) START PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000002 (0)
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) ADD 16 google.ca. AAAA 2607:F8B0:400B:080A:0000:0000:0000:100F
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000001
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) STOP PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000002
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) STOP PID[23190]()
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23190](curl)
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: Removing FD


The major differences I notice between the failure and the success are that the uid is 0 for the request inside the jail and 501 for the request outside it. Curious, but that doesn't seem to be where the request actually fails.



The error message that comes from mDNSResponder seems to be concerning getting the errsd from the incoming request across the socket. https://github.com/jevinskie/mDNSResponder/blob/2942dde61f920fbbf96ff9a3840567ebbe7cb1b6/mDNSShared/uds_daemon.c#L3660



At this point it seems to me like mDNSResponder expects its clients to pass it a pair of fd's across the socket to respond to the client with, which I am not sure is even possible to do from inside the chroot. I am a very poor C programmer so I could be wrong about that, but if that is the truth, is it even possible to do this, and is there a better path to getting DNS to work inside the chroot?



Other tidbits:



  • You can configure mDNSResponder to listen on more than one socket in it's launchd plist file, but that file is now protected by System Integrity Protection, which I don't want to disable to get this to work. It's janky, and easy to fall out of sync with the jail filesystems I am often changing on the hosts, which breaks DNS for every process if it can't create one of the sockets because the file doesn't exist. Running a proxy seems much more resilient


  • ping dies instantly in the jail, which is why I am using curl. It gets a Killed: 9 message on the console instantly.



  • I am getting some other files into the chroot using a bind mount, but I can't get that to work for the mDNSResponder socket. I use http://bindfs.org (since OS X doesn't support Linux' mount --bind) to mount in /var/run to the chroot, but this comes up in the logs when trying to connect:



    2015-10-26 6:39:40.833 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
    2015-10-26 6:39:41.837 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
    2015-10-26 6:39:42.843 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
    2015-10-26 6:39:43.848 PM curl[25002]: dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:4 Err:-1 Errno:61 Connection refused






macos sockets chroot







share|improve this question


























  • Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

    – hornairs
    Oct 26 '15 at 23:51














12












12








12


5






I'm trying to create a chroot to run a program that needs internet access to build myself a sandboxed, immutable developer environment. So far my jail is working well: I can run bash inside it and run simple programs from there! DNS resolution doesn't work however:



bash-3.2$ curl google.ca
curl: (6) Could not resolve host: google.ca


I am almost positive this is because the inner process is unable to connect to the mDNSResponder daemon running outside the jail. Outside the jail there is an mDNSResponder socket for the whole system to use:



host ➜ ls -lA /var/run/mDNSResponder
srw-rw-rw- 1 root daemon 0 22 Oct 10:41 /var/run/mDNSResponder


But, inside the jail there is not. So, I tried to use socat to create a unix socket "proxy" from inside the jail to outside it: I run socat (command below) to create a socket inside my jail, and then inside the jail run curl again, but curl still gives the same error message. I see this in syslog after turning on the verbose logging of mDNSResponder with SIGUSR1:



2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.844 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:32.349 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:32.350 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:32.351 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: Removing FD


which looks to me like curl via dnssd_clientstub is trying three times to resolve the name. Here's the socat log while the jailed process was trying to connect:



host ~/C/jail (master*) ➜
sudo socat -v -d -d UNIX-LISTEN:/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder,mode=666,fork,user=root,group=daemon UNIX-CLIENT:/private/var/run/mDNSResponder
Password:
2015/10/26 18:16:03 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N accepting connection from LEN=16 AF=1 "" on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N forked off child process 24341
2015/10/26 18:16:07 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N opening connection to LEN=32 AF=1 "/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N successfully connected from local address LEN=16 AF=1 ""
2015/10/26 18:16:07 socat[24341] N starting data transfer loop with FDs [6,6] and [5,5]
> 2015/10/26 18:16:07.081847 length=28 from=0 to=27
............................< 2015/10/26 18:16:07.082019 length=4 from=0 to=3
....> 2015/10/26 18:16:07.082167 length=50 from=28 to=77
...............b...............P.....google.ca....> 2015/10/26 18:16:07.082287 length=1 from=78 to=78
.2015/10/26 18:16:07 socat[24341] N socket 2 (fd 5) is at EOF
2015/10/26 18:16:07 socat[24341] N exiting with status 0
2015/10/26 18:16:07 socat[24334] N childdied(): handling signal 20


For comparison, here's what a successful lookup looks like when I run it from the host:



2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 501
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23190](curl)
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000001
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., Addr) START PID[23190]()
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000001 (0)
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.251
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.249
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.227
*snip*
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000002
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., AAAA) START PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000002 (0)
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) ADD 16 google.ca. AAAA 2607:F8B0:400B:080A:0000:0000:0000:100F
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000001
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) STOP PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000002
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) STOP PID[23190]()
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23190](curl)
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: Removing FD


The major differences I notice between the failure and the success are that the uid is 0 for the request inside the jail and 501 for the request outside it. Curious, but that doesn't seem to be where the request actually fails.



The error message that comes from mDNSResponder seems to be concerning getting the errsd from the incoming request across the socket. https://github.com/jevinskie/mDNSResponder/blob/2942dde61f920fbbf96ff9a3840567ebbe7cb1b6/mDNSShared/uds_daemon.c#L3660



At this point it seems to me like mDNSResponder expects its clients to pass it a pair of fd's across the socket to respond to the client with, which I am not sure is even possible to do from inside the chroot. I am a very poor C programmer so I could be wrong about that, but if that is the truth, is it even possible to do this, and is there a better path to getting DNS to work inside the chroot?



Other tidbits:



  • You can configure mDNSResponder to listen on more than one socket in it's launchd plist file, but that file is now protected by System Integrity Protection, which I don't want to disable to get this to work. It's janky, and easy to fall out of sync with the jail filesystems I am often changing on the hosts, which breaks DNS for every process if it can't create one of the sockets because the file doesn't exist. Running a proxy seems much more resilient


  • ping dies instantly in the jail, which is why I am using curl. It gets a Killed: 9 message on the console instantly.



  • I am getting some other files into the chroot using a bind mount, but I can't get that to work for the mDNSResponder socket. I use http://bindfs.org (since OS X doesn't support Linux' mount --bind) to mount in /var/run to the chroot, but this comes up in the logs when trying to connect:



    2015-10-26 6:39:40.833 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
    2015-10-26 6:39:41.837 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
    2015-10-26 6:39:42.843 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
    2015-10-26 6:39:43.848 PM curl[25002]: dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:4 Err:-1 Errno:61 Connection refused






macos sockets chroot







share|improve this question
















I'm trying to create a chroot to run a program that needs internet access to build myself a sandboxed, immutable developer environment. So far my jail is working well: I can run bash inside it and run simple programs from there! DNS resolution doesn't work however:



bash-3.2$ curl google.ca
curl: (6) Could not resolve host: google.ca


I am almost positive this is because the inner process is unable to connect to the mDNSResponder daemon running outside the jail. Outside the jail there is an mDNSResponder socket for the whole system to use:



host ➜ ls -lA /var/run/mDNSResponder
srw-rw-rw- 1 root daemon 0 22 Oct 10:41 /var/run/mDNSResponder


But, inside the jail there is not. So, I tried to use socat to create a unix socket "proxy" from inside the jail to outside it: I run socat (command below) to create a socket inside my jail, and then inside the jail run curl again, but curl still gives the same error message. I see this in syslog after turning on the verbose logging of mDNSResponder with SIGUSR1:



2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.844 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:32.349 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0 
2015-10-26 5:32:32.350 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:32.351 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: Removing FD


which looks to me like curl via dnssd_clientstub is trying three times to resolve the name. Here's the socat log while the jailed process was trying to connect:



host ~/C/jail (master*) ➜
sudo socat -v -d -d UNIX-LISTEN:/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder,mode=666,fork,user=root,group=daemon UNIX-CLIENT:/private/var/run/mDNSResponder
Password:
2015/10/26 18:16:03 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N accepting connection from LEN=16 AF=1 "" on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N forked off child process 24341
2015/10/26 18:16:07 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N opening connection to LEN=32 AF=1 "/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N successfully connected from local address LEN=16 AF=1 ""
2015/10/26 18:16:07 socat[24341] N starting data transfer loop with FDs [6,6] and [5,5]
> 2015/10/26 18:16:07.081847 length=28 from=0 to=27
............................< 2015/10/26 18:16:07.082019 length=4 from=0 to=3
....> 2015/10/26 18:16:07.082167 length=50 from=28 to=77
...............b...............P.....google.ca....> 2015/10/26 18:16:07.082287 length=1 from=78 to=78
.2015/10/26 18:16:07 socat[24341] N socket 2 (fd 5) is at EOF
2015/10/26 18:16:07 socat[24341] N exiting with status 0
2015/10/26 18:16:07 socat[24334] N childdied(): handling signal 20


For comparison, here's what a successful lookup looks like when I run it from the host:



2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 501
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23190](curl)
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000001
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., Addr) START PID[23190]()
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000001 (0)
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.251
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.249
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.227
*snip*
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000002
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., AAAA) START PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000002 (0)
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) ADD 16 google.ca. AAAA 2607:F8B0:400B:080A:0000:0000:0000:100F
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000001
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) STOP PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000002
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) STOP PID[23190]()
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23190](curl)
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: Removing FD


The major differences I notice between the failure and the success are that the uid is 0 for the request inside the jail and 501 for the request outside it. Curious, but that doesn't seem to be where the request actually fails.



The error message that comes from mDNSResponder seems to be concerning getting the errsd from the incoming request across the socket. https://github.com/jevinskie/mDNSResponder/blob/2942dde61f920fbbf96ff9a3840567ebbe7cb1b6/mDNSShared/uds_daemon.c#L3660



At this point it seems to me like mDNSResponder expects its clients to pass it a pair of fd's across the socket to respond to the client with, which I am not sure is even possible to do from inside the chroot. I am a very poor C programmer so I could be wrong about that, but if that is the truth, is it even possible to do this, and is there a better path to getting DNS to work inside the chroot?



Other tidbits:



  • You can configure mDNSResponder to listen on more than one socket in it's launchd plist file, but that file is now protected by System Integrity Protection, which I don't want to disable to get this to work. It's janky, and easy to fall out of sync with the jail filesystems I am often changing on the hosts, which breaks DNS for every process if it can't create one of the sockets because the file doesn't exist. Running a proxy seems much more resilient


  • ping dies instantly in the jail, which is why I am using curl. It gets a Killed: 9 message on the console instantly.



  • I am getting some other files into the chroot using a bind mount, but I can't get that to work for the mDNSResponder socket. I use http://bindfs.org (since OS X doesn't support Linux' mount --bind) to mount in /var/run to the chroot, but this comes up in the logs when trying to connect:



    2015-10-26 6:39:40.833 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
    2015-10-26 6:39:41.837 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
    2015-10-26 6:39:42.843 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
    2015-10-26 6:39:43.848 PM curl[25002]: dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:4 Err:-1 Errno:61 Connection refused






macos sockets chroot




macos sockets chroot






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 26 '15 at 22:42







hornairs

















asked Oct 26 '15 at 22:22









hornairshornairs

1,40411 silver badges20 bronze badges




1,40411 silver badges20 bronze badges















  • Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

    – hornairs
    Oct 26 '15 at 23:51


















  • Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

    – hornairs
    Oct 26 '15 at 23:51

















Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

– hornairs
Oct 26 '15 at 23:51






Also of note: I can't run a duplicate mDNSResponder inside the chroot. It is killed instantly with this in the foreground: bash-3.2# /usr/sbin/mDNSRespondern Killed: 9 and this in syslog: kernel[0]: AMFI: hook..execve() killing pid 26798: not allowed in chroot

– hornairs
Oct 26 '15 at 23:51













2 Answers
2






active

oldest

votes


















1















The problem here is that requests and responses on the /var/run/mDNSResponder socket use the "ancillary data" feature of the recvmsg and sendmsg system calls, and socat doesn't proxy ancillary data. I was able to get a custom proxy that does relay the ancillary data to work and provide DNS to processes inside a chroot.






share|improve this answer
































    -1















    You should make sure you have a copy of /etc/resolv.conf in your chroot. Without it, it wouldn't know which DNS servers to contact, so the only fallback option is to use mDNS. But even if mDNS would work, it would probably only be able to resolve local domain names with it, and not google.ca.






    share|improve this answer



























      Your Answer






      StackExchange.ifUsing("editor", function ()
      StackExchange.using("externalEditor", function ()
      StackExchange.using("snippets", function ()
      StackExchange.snippets.init();
      );
      );
      , "code-snippets");

      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "1"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33356677%2fhow-can-i-get-dns-resolution-to-work-inside-a-mac-os-x-chroot-on-el-capitan%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1















      The problem here is that requests and responses on the /var/run/mDNSResponder socket use the "ancillary data" feature of the recvmsg and sendmsg system calls, and socat doesn't proxy ancillary data. I was able to get a custom proxy that does relay the ancillary data to work and provide DNS to processes inside a chroot.






      share|improve this answer





























        1















        The problem here is that requests and responses on the /var/run/mDNSResponder socket use the "ancillary data" feature of the recvmsg and sendmsg system calls, and socat doesn't proxy ancillary data. I was able to get a custom proxy that does relay the ancillary data to work and provide DNS to processes inside a chroot.






        share|improve this answer



























          1














          1










          1









          The problem here is that requests and responses on the /var/run/mDNSResponder socket use the "ancillary data" feature of the recvmsg and sendmsg system calls, and socat doesn't proxy ancillary data. I was able to get a custom proxy that does relay the ancillary data to work and provide DNS to processes inside a chroot.






          share|improve this answer













          The problem here is that requests and responses on the /var/run/mDNSResponder socket use the "ancillary data" feature of the recvmsg and sendmsg system calls, and socat doesn't proxy ancillary data. I was able to get a custom proxy that does relay the ancillary data to work and provide DNS to processes inside a chroot.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 28 at 0:24









          sahsah

          4354 silver badges8 bronze badges




          4354 silver badges8 bronze badges


























              -1















              You should make sure you have a copy of /etc/resolv.conf in your chroot. Without it, it wouldn't know which DNS servers to contact, so the only fallback option is to use mDNS. But even if mDNS would work, it would probably only be able to resolve local domain names with it, and not google.ca.






              share|improve this answer





























                -1















                You should make sure you have a copy of /etc/resolv.conf in your chroot. Without it, it wouldn't know which DNS servers to contact, so the only fallback option is to use mDNS. But even if mDNS would work, it would probably only be able to resolve local domain names with it, and not google.ca.






                share|improve this answer



























                  -1














                  -1










                  -1









                  You should make sure you have a copy of /etc/resolv.conf in your chroot. Without it, it wouldn't know which DNS servers to contact, so the only fallback option is to use mDNS. But even if mDNS would work, it would probably only be able to resolve local domain names with it, and not google.ca.






                  share|improve this answer













                  You should make sure you have a copy of /etc/resolv.conf in your chroot. Without it, it wouldn't know which DNS servers to contact, so the only fallback option is to use mDNS. But even if mDNS would work, it would probably only be able to resolve local domain names with it, and not google.ca.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Sep 29 '16 at 11:14









                  G. SliepenG. Sliepen

                  2,5886 silver badges17 bronze badges




                  2,5886 silver badges17 bronze badges






























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33356677%2fhow-can-i-get-dns-resolution-to-work-inside-a-mac-os-x-chroot-on-el-capitan%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

                      Image
                      Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
                      Read more

                      Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

                      Image
                      Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
                      Read more

                      Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

                      Image
                      What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
                      Read more