[GH-ISSUE #3605] DNS requests fail in jailed Firefox with IPv6 resolver #2261

New issue

Open

opened 2026-05-05 08:57:10 -06:00 by gitea-mirror · 16 comments

gitea-mirror commented 2026-05-05 08:57:10 -06:00

Owner

Copy link

Originally created by @In-line on GitHub (Aug 28, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3605

When using system /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1

DNS requests fail in Firefox. Commenting nameserver ::1 solves issue.

This doesn't happen in non-jailed firefox and using dig in Firefox joined (--join=) sandbox.

IPv6 is disabled in Linux commandline ipv6.disable=1, didn't test with enabled IPv6.
Resolver in 127.0.0.1 is dnscrypt-proxy.

Firejail 0.9.62.4
Mozilla Firefox 79.0
DNSCrypt Proxy 2.0.44
Distribution: Arch Linux

Originally created by @In-line on GitHub (Aug 28, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3605 When using system `/etc/resolv.conf` ``` nameserver ::1 nameserver 127.0.0.1 ``` DNS requests fail in Firefox. Commenting `nameserver ::1` solves issue. This doesn't happen in non-jailed firefox and using `dig` in Firefox joined (`--join=`) sandbox. IPv6 is disabled in Linux commandline `ipv6.disable=1`, didn't test with enabled IPv6. Resolver in `127.0.0.1` is dnscrypt-proxy. Firejail 0.9.62.4 Mozilla Firefox 79.0 DNSCrypt Proxy 2.0.44 Distribution: Arch Linux

gitea-mirror added the

networking

label 2026-05-05 08:57:10 -06:00

gitea-mirror commented 2026-05-05 08:57:12 -06:00

Author

Owner

Copy link

@In-line commented on GitHub (Aug 28, 2020):

Seems to be the same issue https://www.reddit.com/r/archlinux/comments/5uh2y5/firejail_doesnt_use_archs_default_dns_server_need/

<!-- gh-comment-id:682438569 --> @In-line commented on GitHub (Aug 28, 2020): Seems to be the same issue https://www.reddit.com/r/archlinux/comments/5uh2y5/firejail_doesnt_use_archs_default_dns_server_need/

gitea-mirror commented 2026-05-05 08:57:13 -06:00

Author

Owner

Copy link

@bbhtt commented on GitHub (Aug 30, 2020):

This does not happen for me, I'm using nm-manager+systemd-resolved on Arch: /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

<!-- gh-comment-id:683368198 --> @bbhtt commented on GitHub (Aug 30, 2020): This does not happen for me, I'm using nm-manager+systemd-resolved on Arch: `/etc/resolv.conf -> /run/systemd/resolve/resolv.conf`

gitea-mirror commented 2026-05-05 08:57:14 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 1, 2020):

Any progress here?

<!-- gh-comment-id:702306665 --> @rusty-snake commented on GitHub (Oct 1, 2020): Any progress here?

gitea-mirror commented 2026-05-05 08:57:15 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 7, 2022):

looks like something is wrong with dns via sytemd-resolved in firefox profile.

firejail --version
firejail version 0.9.68

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

$ firejail --trace --profile=firefox  getent hosts google.com
...
8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1
...

..snipped to tracelog
8:getent:exec /usr/bin/getent:0
8:getent:fopen64 /run/systemd/machines/google.com:(nil)
8:getent:socket AF_LOCAL SOCK_STREAM 0:4
8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1
8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4
8:getent:connect 4 127.0.0.1 port 53:0
8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4
8:getent:connect 4 127.0.0.1 port 53:0
8:getent:fopen64 /run/systemd/machines/google.com:(nil)
8:getent:socket AF_LOCAL SOCK_STREAM 0:4
8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1
8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4
8:getent:connect 4 127.0.0.1 port 53:0
8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4
8:getent:connect 4 127.0.0.1 port 53:0

$ firejail --trace --noprofile  getent hosts google.com
...
2:getent:connect 5 /run/systemd/resolve/io.systemd.Resolve:0
...

..snipped to tracelog
2:zsh:exec /usr/bin/zsh:0
2:zsh:open /dev/pts/3:4
2:zsh:open /etc/zsh/zshenv:-1
2:zsh:open /home/sak/.zshenv:-1
2:zsh:open /dev/null:4
2:zsh:access /usr/local/bin/getent:-1
2:zsh:access /usr/bin/getent:0
2:getent:exec /usr/bin/getent:0
2:getent:fopen64 /run/systemd/machines/google.com:(nil)
2:getent:socket AF_LOCAL SOCK_STREAM 0:5
2:getent:connect 5 /run/systemd/resolve/io.systemd.Resolve:0
2404:6800:4009:80f::200e google.com

<!-- gh-comment-id:1031550960 --> @sak96 commented on GitHub (Feb 7, 2022): looks like something is wrong with dns via sytemd-resolved in firefox profile. <summary> ```bash firejail --version firejail version 0.9.68 ``` <details> ``` Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` </details> </summary> <summary> ```bash $ firejail --trace --profile=firefox getent hosts google.com ... 8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1 ... ``` <details> ``` ..snipped to tracelog 8:getent:exec /usr/bin/getent:0 8:getent:fopen64 /run/systemd/machines/google.com:(nil) 8:getent:socket AF_LOCAL SOCK_STREAM 0:4 8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1 8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4 8:getent:connect 4 127.0.0.1 port 53:0 8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4 8:getent:connect 4 127.0.0.1 port 53:0 8:getent:fopen64 /run/systemd/machines/google.com:(nil) 8:getent:socket AF_LOCAL SOCK_STREAM 0:4 8:getent:connect 4 /run/systemd/resolve/io.systemd.Resolve:-1 8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4 8:getent:connect 4 127.0.0.1 port 53:0 8:getent:socket AF_INET SOCK_DGRAM IPPROTO_IP:4 8:getent:connect 4 127.0.0.1 port 53:0 ``` </details> </summary> <summary> ```bash $ firejail --trace --noprofile getent hosts google.com ... 2:getent:connect 5 /run/systemd/resolve/io.systemd.Resolve:0 ... ``` <details> ``` ..snipped to tracelog 2:zsh:exec /usr/bin/zsh:0 2:zsh:open /dev/pts/3:4 2:zsh:open /etc/zsh/zshenv:-1 2:zsh:open /home/sak/.zshenv:-1 2:zsh:open /dev/null:4 2:zsh:access /usr/local/bin/getent:-1 2:zsh:access /usr/bin/getent:0 2:getent:exec /usr/bin/getent:0 2:getent:fopen64 /run/systemd/machines/google.com:(nil) 2:getent:socket AF_LOCAL SOCK_STREAM 0:5 2:getent:connect 5 /run/systemd/resolve/io.systemd.Resolve:0 2404:6800:4009:80f::200e google.com ``` </details> </summary>

gitea-mirror commented 2026-05-05 08:57:16 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 7, 2022):

any know fixes @rusty-snake

<!-- gh-comment-id:1031551368 --> @sak96 commented on GitHub (Feb 7, 2022): any know fixes @rusty-snake

gitea-mirror commented 2026-05-05 08:57:17 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 7, 2022):

Does

1. firejail --noprofile /usr/bin/firefox
2. firejail --ignore=whitelist /usr/bin/firefox
3. firejail --ignore=whitelist --ignore=blacklist /usr/bin/firefox
4. firejail --ignore=dbus-user --ignore=dbus-system /usr/bin/firefox
   work?

<!-- gh-comment-id:1031579755 --> @rusty-snake commented on GitHub (Feb 7, 2022): Does 1. `firejail --noprofile /usr/bin/firefox` 2. `firejail --ignore=whitelist /usr/bin/firefox` 3. `firejail --ignore=whitelist --ignore=blacklist /usr/bin/firefox` 4. `firejail --ignore=dbus-user --ignore=dbus-system /usr/bin/firefox` work?

gitea-mirror commented 2026-05-05 08:57:17 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 7, 2022):

• firejail --noprofile /usr/bin/firefox
• firejail --ignore=whitelist /usr/bin/firefox
• firejail --ignore=whitelist --ignore=blacklist /usr/bin/firefox
• firejail --ignore=dbus-user --ignore=dbus-system /usr/bin/firefox

dns works with all of them.

<!-- gh-comment-id:1031686100 --> @sak96 commented on GitHub (Feb 7, 2022): - [x] firejail --noprofile /usr/bin/firefox - [x] firejail --ignore=whitelist /usr/bin/firefox - [x] firejail --ignore=whitelist --ignore=blacklist /usr/bin/firefox - [x] firejail --ignore=dbus-user --ignore=dbus-system /usr/bin/firefox dns works with all of them.

gitea-mirror commented 2026-05-05 08:57:18 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 7, 2022):

• firejail --ignore=dbus-system /usr/bin/firefox
• firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 /usr/bin/firefox
• firejail --ignore="include whitelist-run-common.inc" /usr/bin/firefox
• firejail --whitelist=/run/systemd /usr/bin/firefox
• firejail --whitelist=/run/systemd/resolve /usr/bin/firefox
• firejail --whitelist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox

<!-- gh-comment-id:1031691799 --> @rusty-snake commented on GitHub (Feb 7, 2022): - `firejail --ignore=dbus-system /usr/bin/firefox` - `firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 /usr/bin/firefox` - `firejail --ignore="include whitelist-run-common.inc" /usr/bin/firefox` - `firejail --whitelist=/run/systemd /usr/bin/firefox` - `firejail --whitelist=/run/systemd/resolve /usr/bin/firefox` - `firejail --whitelist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox`

gitea-mirror commented 2026-05-05 08:57:19 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 7, 2022):

1. Why not ignore include …?
2. Does whitelist /run/systemd/… work?
3. Does the D-Bus way work?

<!-- gh-comment-id:1031704568 --> @rusty-snake commented on GitHub (Feb 7, 2022): 1. Why not `ignore include …`? 2. Does `whitelist /run/systemd/…` work? 3. Does the D-Bus way work?

gitea-mirror commented 2026-05-05 08:57:20 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 7, 2022):

interesting all of the above works settling to adding the following.

# ~/.config/firejail/firefox.local
whitelist /run/systemd/resolve/io.systemd.Resolve

Thanks @rusty-snake

<!-- gh-comment-id:1031717213 --> @sak96 commented on GitHub (Feb 7, 2022): interesting all of the above works settling to adding the following. ```firejail # ~/.config/firejail/firefox.local whitelist /run/systemd/resolve/io.systemd.Resolve ``` Thanks @rusty-snake

gitea-mirror commented 2026-05-05 08:57:21 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 7, 2022):

Just to confirm, firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox (i.e. D-Bus) works too.

<!-- gh-comment-id:1031788171 --> @rusty-snake commented on GitHub (Feb 7, 2022): Just to confirm, `firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox` (i.e. D-Bus) works too.

gitea-mirror commented 2026-05-05 08:57:22 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 7, 2022):

What does grep "^hosts" /etc/nsswitch.conf show?

<!-- gh-comment-id:1031795593 --> @rusty-snake commented on GitHub (Feb 7, 2022): What does `grep "^hosts" /etc/nsswitch.conf` show?

gitea-mirror commented 2026-05-05 08:57:22 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 8, 2022):

firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox does not help.

grep "^hosts" /etc/nsswitch.conf shows the same result in both with fix (mentioned in last msg by me) and without

hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns

<!-- gh-comment-id:1032217315 --> @sak96 commented on GitHub (Feb 8, 2022): `firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox` does not help. `grep "^hosts" /etc/nsswitch.conf` shows the same result in both with fix (mentioned in last msg by me) and without ```text hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns ```

gitea-mirror commented 2026-05-05 08:57:23 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 8, 2022):

firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox does not help.

But firejail --ignore=dbus-system --ignore=dbus-user [--blacklist=/run/systemd/resolve/io.systemd.Resolve] /usr/bin/firefox works?

hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns

Let me think

<!-- gh-comment-id:1032302146 --> @rusty-snake commented on GitHub (Feb 8, 2022): > firejail --ignore="dbus-system none" --dbus-system=filter --dbus-system.talk=org.freedesktop.resolve1 --blacklist=/run/systemd/resolve/io.systemd.Resolve /usr/bin/firefox does not help. But `firejail --ignore=dbus-system --ignore=dbus-user [--blacklist=/run/systemd/resolve/io.systemd.Resolve] /usr/bin/firefox` works? > hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns Let me think

gitea-mirror commented 2026-05-05 08:57:24 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (Feb 8, 2022):

firejail --ignore=dbus-system --ignore=dbus-user [--blacklist=/run/systemd/resolve/io.systemd.Resolve] /usr/bin/firefox does not work

<!-- gh-comment-id:1032349062 --> @sak96 commented on GitHub (Feb 8, 2022): `firejail --ignore=dbus-system --ignore=dbus-user [--blacklist=/run/systemd/resolve/io.systemd.Resolve] /usr/bin/firefox` does not work

gitea-mirror commented 2026-05-05 08:57:25 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 8, 2022):

Related #3492

---

Maybe we should remove resolve [!UNAVAIL=return] from nsswitch.conf inside the sandbox.

<!-- gh-comment-id:1032354585 --> @rusty-snake commented on GitHub (Feb 8, 2022): Related #3492 --- Maybe we should remove `resolve [!UNAVAIL=return]` from nsswitch.conf inside the sandbox.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2261

No description provided.