github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3720] Question about --dns option #2341

New issue
Closed
opened 2026-05-05 09:01:43 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:01:43 -06:00
Owner
Copy link

Originally created by @deb75 on GitHub (Nov 2, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3720

I launch firefox as follows :

firejail --name=firefox --private=/some/dir --hostname=debian --cgroup=/sys/fs/cgroup/cpu/app/tasks --env=LANG=fr_FR.UTF8 --dns=10.10.1.1 --net=br0 --nosound /usr/local/bin/firefox

br0 is a bridge with ip 10.10.1.1

I made a nameserver listen on 10.10.1.1:53 (checked with nmap). The same name server also listens on 127.0.0.1 (not the jail loopback).

The file /etc/resolv.conf contains nameserver 127.0.0.1 and that of the jail nameserver 10.10.1.1.

I noticed that if I manually change the global file /etc/resolv.conf to 127.0.2.1, then firefox becomes unable to resolve urls.
Normally, it should not be affected as the file /etc/resolv.conf in the jail is not changed (checked from firefox itself).

So, why a manual change on the global resolv.conf file affects the browser ?

Originally created by @deb75 on GitHub (Nov 2, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3720 I launch firefox as follows : ``` firejail --name=firefox --private=/some/dir --hostname=debian --cgroup=/sys/fs/cgroup/cpu/app/tasks --env=LANG=fr_FR.UTF8 --dns=10.10.1.1 --net=br0 --nosound /usr/local/bin/firefox ``` br0 is a bridge with ip 10.10.1.1 I made a nameserver listen on 10.10.1.1:53 (checked with nmap). The same name server also listens on 127.0.0.1 (not the jail loopback). The file /etc/resolv.conf contains `nameserver 127.0.0.1` and that of the jail `nameserver 10.10.1.1`. I noticed that if I manually change the global file /etc/resolv.conf to 127.0.2.1, then firefox becomes unable to resolve urls. Normally, it should not be affected as the file /etc/resolv.conf in the jail is not changed (checked from firefox itself). So, why a manual change on the global resolv.conf file affects the browser ?
gitea-mirror 2026-05-05 09:01:43 -06:00
gitea-mirror commented 2026-05-05 09:01:46 -06:00
Author
Owner
Copy link

@deb75 commented on GitHub (Nov 3, 2020):

Ok, I think I did not understant how it works.

the dns option runs a dns server inside the jail at given address. But this server relies itself on the global resolv.conf file.

<!-- gh-comment-id:721425698 --> @deb75 commented on GitHub (Nov 3, 2020): Ok, I think I did not understant how it works. the dns option runs a dns server inside the jail at given address. But this server relies itself on the global `resolv.conf` file.
gitea-mirror commented 2026-05-05 09:01:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 8, 2020):

--dns=1.2.3.4 modifies /etc/resolv.conf inside the sandbox, but don't start a dnsserver in the sandbox. Check with firejail --dns=9.9.9.9 ps -ef.

<!-- gh-comment-id:723575341 --> @rusty-snake commented on GitHub (Nov 8, 2020): `--dns=1.2.3.4` modifies `/etc/resolv.conf` inside the sandbox, but don't start a dnsserver in the sandbox. Check with `firejail --dns=9.9.9.9 ps -ef`.
gitea-mirror commented 2026-05-05 09:01:48 -06:00
Author
Owner
Copy link

@deb75 commented on GitHub (Jan 8, 2021):

My global /etc/resolv.conf only contains :

nameserver 127.0.2.1

I run firefox as follows :

firejail --name=firefox --private=/some/dir --hostname=debian  --env=LANG=fr_FR.UTF8  --net=br0 --nosound /usr/local/bin/firefox

Inside the sandbox, I checked that the nameserver is still 127.0.2.1, however if inside the sandbox I scan 127.0.2.1 :

nmap 127.0.2.1 -p53

I get :

PORT   STATE  SERVICE
53/tcp closed domain

The same command outside of the sandbox shows that the port is opened.

So, How am I sure that firefox inside the sandbox really uses my local dns server ?

Regards

<!-- gh-comment-id:756699620 --> @deb75 commented on GitHub (Jan 8, 2021): My global `/etc/resolv.conf` only contains : ``` nameserver 127.0.2.1 ``` I run firefox as follows : ``` firejail --name=firefox --private=/some/dir --hostname=debian --env=LANG=fr_FR.UTF8 --net=br0 --nosound /usr/local/bin/firefox ``` Inside the sandbox, I checked that the nameserver is still 127.0.2.1, however if inside the sandbox I scan 127.0.2.1 : ``` nmap 127.0.2.1 -p53 ``` I get : ``` PORT STATE SERVICE 53/tcp closed domain ``` The same command outside of the sandbox shows that the port is opened. So, How am I sure that firefox inside the sandbox really uses my local dns server ? Regards
gitea-mirror commented 2026-05-05 09:01:48 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 8, 2021):

How am I sure that [foobar] inside the sandbox really uses my […] dns server?

Use --netfilter= and --netfilter6= to only allow whitelisted connections.

How [can I make] that [foobar] inside the sandbox really uses my local [=127.*.*.*] dns server?

You need to drop --net=br0 IIRC.

<!-- gh-comment-id:756704727 --> @rusty-snake commented on GitHub (Jan 8, 2021): > How am I sure that [foobar] inside the sandbox really uses my […] dns server? Use `--netfilter=` and `--netfilter6=` to only allow whitelisted connections. > How [can I make] that [foobar] inside the sandbox really uses my local [=`127.*.*.*`] dns server? You need to drop `--net=br0` IIRC.
gitea-mirror commented 2026-05-05 09:01:49 -06:00
Author
Owner
Copy link

@deb75 commented on GitHub (Jan 8, 2021):

Thanks,

But then, is my current configuration invalid ? that is to say it does not really do what I thought it could do ?

As a matter of fact, if I modify the global resolv.conf, firefox inside the sandbox can no more access anything.
If I cancel the modification, firefox works again as usual.

I would like to understand how this works. Apparently, firefox uses my local dns server, but I cannot access it manually in the sandbox.

<!-- gh-comment-id:756707688 --> @deb75 commented on GitHub (Jan 8, 2021): Thanks, But then, is my current configuration invalid ? that is to say it does not really do what I thought it could do ? As a matter of fact, if I modify the global `resolv.conf`, firefox inside the sandbox can no more access anything. If I cancel the modification, firefox works again as usual. I would like to understand how this works. Apparently, firefox uses my local dns server, but I cannot access it manually in the sandbox.
gitea-mirror commented 2026-05-05 09:01:50 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 10, 2021):

Do you still have questions?

<!-- gh-comment-id:858434469 --> @rusty-snake commented on GitHub (Jun 10, 2021): Do you still have questions?
gitea-mirror commented 2026-05-05 09:01:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 4, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

<!-- gh-comment-id:892572099 --> @rusty-snake commented on GitHub (Aug 4, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2341
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?