On Wed, 10 Dec 2025, at 11:10, Anthony Pankov wrote: > Hello, > > I'm again facing the problem of providing host-wide interface to all > jails in a host.
Hi Anthony, You can run local_unbound for exactly this purpose, chrooted on the jail host, bound to a jails-only loopback interface lo1 say on 10.0.0.0/8. It can listen on an IP thats accessible from all jails. You can use the new svcj support (service jail) to improve the security a bit further, but I've not tried this yet. I have other services like haproxy that run on jails, the same lo1 network is used on each jail host to provide generic services to all jails. pf rules make the traffic go the right way, if you want to run your own jailed DNS services there's not really anything that should stop you doing this. I can share my ansible config for this privately if thats of interest. A+ Dave
