github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1722] Provide a way to specify DNSv6, for ex. --dns6 #1164

New issue

Closed

opened 2026-05-05 07:34:10 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:34:10 -06:00

Owner

Originally created by @ghost on GitHub (Jan 9, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1722

You explained in my ticket #1672 that firejail does not use DHCP, and does certainly not use the DNS it would provide for security reason.

That makes perfect sense, and that is why there is the --dns option so that the user can provide a DNS he trusts instead of relying on whatever DHCP would want you to use.

For the same reason, there should be a way to provide a dns6 address when you want to use DNS over ipv6 instead. That is assuming of course you don't abide to router advertisement (RA) publishing a DNS ipv6 address (I didn't check). In fact, contrary to DHCP, firejail takes for granted whatever global ipv6 network is advertised through RA.

The option could be: --dns6

You could then invoke with:
firejail --net=vnet0 --dns6=fe80::12

This is loosely coupled to other tickets showing the early progress of ipv6 implementation:
#1247: lack of dns6-gw
#895: bug with nameservers v6
#1721: not working at all when ipv6-only

About this impossibility of using dnsv6, I assume that it relates to the stages of ipv6 implementation.
Indeed, when you don't provide a dns with --dns, firejail will use what is defined on the host. It happens to be 127.0.1.1 on ubuntu (see #1672). Hence even if it would get the DNS V6 published by radvd, since it is using in priority DNS V4 and that obviously 127.0.1.1 leads nowhere in the sandbox... you are left with never being able to get DNS V6!

Originally created by @ghost on GitHub (Jan 9, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1722 You explained in my ticket #1672 that firejail does not use DHCP, and does certainly not use the DNS it would provide for security reason. That makes perfect sense, and that is why there is the --dns option so that the user can provide a DNS he trusts instead of relying on whatever DHCP would want you to use. For the same reason, there should be a way to provide a dns6 address when you want to use DNS over ipv6 instead. That is assuming of course you don't abide to router advertisement (RA) publishing a DNS ipv6 address (I didn't check). In fact, contrary to DHCP, firejail takes for granted whatever global ipv6 network is advertised through RA. The option could be: --dns6 You could then invoke with: firejail --net=vnet0 --dns6=fe80::12 This is loosely coupled to other tickets showing the early progress of ipv6 implementation: #1247: lack of dns6-gw #895: bug with nameservers v6 #1721: not working at all when ipv6-only About this impossibility of using dnsv6, I assume that it relates to the stages of ipv6 implementation. Indeed, when you don't provide a dns with --dns, firejail will use what is defined on the host. It happens to be 127.0.1.1 on ubuntu (see #1672). Hence even if it would get the DNS V6 published by radvd, since it is using in priority DNS V4 and that obviously 127.0.1.1 leads nowhere in the sandbox... you are left with never being able to get DNS V6!

gitea-mirror

2026-05-05 07:34:10 -06:00

closed this issue
added the
enhancement

networking
labels

gitea-mirror commented

2026-05-05 07:34:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 17, 2018):

I added support for ipv6 addresses in the --dns option. I allow up to 4 nameservers in any ipv4 and ipv6 combination. If 4 is not enough, I can increase it. Try it out and let me know if you run into problems.

@netblue30 commented on GitHub (Jan 17, 2018): I added support for ipv6 addresses in the --dns option. I allow up to 4 nameservers in any ipv4 and ipv6 combination. If 4 is not enough, I can increase it. Try it out and let me know if you run into problems.

gitea-mirror commented

2026-05-05 07:34:17 -06:00

Author

Owner

@ghost commented on GitHub (Jan 17, 2018):

Thanks! One DNS is enough for my use case since I am tunnelling all traffic to tor. In fact the actual resolution is made by the tor exit node, not locally, we only need one local address to do that.

I guess the commit is against the development version on that github, right?

So I'll do the compile and test that week-end when I have a little bit more time, and post back.

@ghost commented on GitHub (Jan 17, 2018): Thanks! One DNS is enough for my use case since I am tunnelling all traffic to tor. In fact the actual resolution is made by the tor exit node, not locally, we only need one local address to do that. I guess the commit is against the development version on that github, right? So I'll do the compile and test that week-end when I have a little bit more time, and post back.

gitea-mirror commented

2026-05-05 07:34:20 -06:00

Author

Owner

@ghost commented on GitHub (Jan 20, 2018):

It does not work!
Doing another ticket then.

@ghost commented on GitHub (Jan 20, 2018): It does not work! Doing another ticket then.

gitea-mirror referenced this issue

2026-05-05 10:09:18 -06:00

[PR #1164] [MERGED] firecfg: create ~/.local/share/applications directory if it doesn't exist #3863

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1164

No description provided.

Rows
Columns