dns resolution does not work

jaco

I have trouble with getting mailcow to work due to dns lookup issues. Anti virus and anti spam services are not able to retreive their signature updates.

I did an update.sh of mailcow so there i am on the latest version.

jaco@ /opt/mailcow-dockerized $ docker --version
Docker version 19.03.12, build 48a66213fe
jaco@ /opt/mailcow-dockerized $ docker-compose --version
docker-compose version 1.26.1, build f216ddbf

from the mailcowdockerized_clamd-mailcow_1 container logs

Wed Jul  1 12:40:45 2020 -> Reading CVD header (daily.cvd): Wed Jul  1 12:40:55 2020 -> !remote_cvdhead: Download failed (6) Wed Jul  1 12:40:55 2020 -> ! Message: Couldn't resolve host name
Wed Jul  1 12:40:55 2020 -> ^Failed to get daily database version information from server: https://database.clamav.net
Wed Jul  1 12:40:55 2020 -> !check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
Wed Jul  1 12:40:55 2020 -> Giving up on https://database.clamav.net...
Wed Jul  1 12:40:55 2020 -> !Update failed for database: daily
Wed Jul  1 12:40:55 2020 -> ^fc_update_databases: fc_update_database failed: HTTP GET failed (11)
Wed Jul  1 12:40:55 2020 -> !Database update process failed: HTTP GET failed (11)
Wed Jul  1 12:40:55 2020 -> !Update failed.

and in the cli

root@95f895ad7475:/# nslookup database.clamav.net
Server:         127.0.0.11
Address:        127.0.0.11#53

** server can't find database.clamav.net: REFUSED

root@95f895ad7475:/# nslookup unbound
Server:         127.0.0.11
Address:        127.0.0.11#53

Non-authoritative answer:
Name:   unbound
Address: 172.11.1.254
Name:   unbound
Address: fd4d:6169:6c63:6f77::2

root@95f895ad7475:/# cat /etc/resolv.conf 
nameserver 127.0.0.11
options ndots:0
root@95f895ad7475:/#

root@95f895ad7475:/# nslookup database.clamav.net 172.11.1.254
Server:         172.11.1.254
Address:        172.11.1.254#53

** server can't find database.clamav.net: REFUSED

How comes the dns server is not set to unbound in that container ?

From the cli of mailcowdockerized_unbound-mailcow_1

bash-5.0# nslookup database.clamav.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
database.clamav.net     canonical name = database.clamav.net.cdn.cloudflare.net
Name:   database.clamav.net.cdn.cloudflare.net
Address: 104.16.218.84
Name:   database.clamav.net.cdn.cloudflare.net
Address: 104.16.219.84

Non-authoritative answer:
database.clamav.net     canonical name = database.clamav.net.cdn.cloudflare.net
Name:   database.clamav.net.cdn.cloudflare.net
Address: 2606:4700::6810:da54
Name:   database.clamav.net.cdn.cloudflare.net
Address: 2606:4700::6810:db54

bash-5.0# nslookup database.clamav.net 172.11.1.254
Server:         172.11.1.254
Address:        172.11.1.254:53

** server can't find database.clamav.net: REFUSED

** server can't find database.clamav.net: REFUSED

bash-5.0# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.11:33941        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      -
tcp        0      0 :::53                   :::*                    LISTEN      -
udp        0      0 0.0.0.0:53              0.0.0.0:*                           -
udp        0      0 127.0.0.11:36201        0.0.0.0:*                           -
udp        0      0 :::53                   :::*                                -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

the corresponding part from docker-compose.yml

    clamd-mailcow:
      image: mailcow/clamd:1.36
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
        - TZ=${TZ}
        - SKIP_CLAMD=${SKIP_CLAMD:-n}
      volumes:
        - ./data/conf/clamav/:/etc/clamav/
      networks:
        mailcow-network:
          aliases:
            - clamd

jaco

more from the mailcowdockerized_unbound-mailcow_1

bash-5.0# ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:0B:01:FE  
          inet addr:172.11.1.254  Bcast:172.11.1.255  Mask:255.255.255.0
          inet6 addr: fe80::42:acff:fe0b:1fe/64 Scope:Link
          inet6 addr: fd4d:6169:6c63:6f77::2/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1851 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1700 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:194039 (189.4 KiB)  TX bytes:95973 (93.7 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1682 (1.6 KiB)  TX bytes:1682 (1.6 KiB)

bash-5.0# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172-11-1-1.ligh 0.0.0.0         UG    0      0        0 eth0
172.11.1.0      *               255.255.255.0   U     0      0        0 eth0

Oh and this is not only on the clamd server but on all that are supposed to use the unbound.

from mailcowdockerized_postfix-mailcow_1 logs

Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for backscatter.spameatingmonkey.net
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for bl.spameatingmonkey.net
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for zen.spamhaus.org
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for list.dnswl.org
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for bl.ipv6.spameatingmonkey.net
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for dnsbl.sorbs.net
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for bl.suomispam.net
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for hostkarma.junkemailfilter.com
Jul  1 13:16:26 trioxygen postfix/postscreen[347]: warning: dnsblog reply timeout 10s for wl.mailspike.net
Jul  1 13:16:26 trioxygen postfix/dnsblog[465]: warning: dnsblog_query: lookup error for DNS query 18.149.70.212.wl.mailspike.net: Host or domain name not found. Name service error for name=18.149.70.212.wl.mailspike.net type=A: Host not found, try 
Jul  1 13:16:26 trioxygen postfix/dnsblog[417]: warning: dnsblog_query: lookup error for DNS query 18.149.70.212.bl.suomispam.net: Host or domain name not found. Name service error for name=18.149.70.212.bl.suomispam.net type=A: Host not found, try 
Jul  1 13:16:26 trioxygen postfix/dnsblog[469]: warning: dnsblog_query: lookup error for DNS query 18.149.70.212.bl.ipv6.spameatingmonkey.net: Host or domain name not found. Name service error for name=18.149.70.212.bl.ipv6.spameatingmonkey.net type=A: Host not found, try

diekuh

You can probably not query the DNS root servers. Or perhaps it is filtered by a firewall.

Setup a full recursor (!!!) on another machine and use it as external DNS (see mailcow docs) in mailcow.

It MUST be a real recursor, not a caching forwarder with a public DNS server. That will kill all spam filtering based on IP reputation. So NO DNSmasq for example.

I recommend to use “PDNS Recursor”. Install it on another machine, that is able to query the root zones and point your mailcow to it. PDNS (or whatever) must be configured to allow queries from your cow.

jaco

diekuh Thanks for your reply.
But how comes that i seem to be the only one having this problem with the default setup ?

I dont have any problems with other containers. And the unbound container itself can query.

from the unbound container:


bash-5.0#  dig @b.root-servers.net. www.example.com a

; <<>> DiG 9.14.12 <<>> @b.root-servers.net. www.example.com a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56321
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bde0e9b72e4bb96584596cb45efda184c0c5e38a6971bc26 (good)
;; QUESTION SECTION:
;www.example.com.               IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     172800  IN      AAAA    2001:503:83eb::30
d.gtld-servers.net.     172800  IN      AAAA    2001:500:856e::30
e.gtld-servers.net.     172800  IN      AAAA    2001:502:1ca1::30
f.gtld-servers.net.     172800  IN      AAAA    2001:503:d414::30
g.gtld-servers.net.     172800  IN      AAAA    2001:503:eea3::30
h.gtld-servers.net.     172800  IN      AAAA    2001:502:8cc::30
i.gtld-servers.net.     172800  IN      AAAA    2001:503:39c1::30
j.gtld-servers.net.     172800  IN      AAAA    2001:502:7094::30
k.gtld-servers.net.     172800  IN      AAAA    2001:503:d2d::30
l.gtld-servers.net.     172800  IN      AAAA    2001:500:d937::30
m.gtld-servers.net.     172800  IN      AAAA    2001:501:b1f9::30
a.gtld-servers.net.     172800  IN      A       192.5.6.30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30

;; Query time: 29 msec
;; SERVER: 2001:500:200::b#53(2001:500:200::b)
;; WHEN: Thu Jul 02 10:57:40 CEST 2020
;; MSG SIZE  rcvd: 868

What worries me most is

bash-5.0# nslookup database.clamav.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
database.clamav.net     canonical name = database.clamav.net.cdn.cloudflare.net
Name:   database.clamav.net.cdn.cloudflare.net
Address: 104.16.218.84
Name:   database.clamav.net.cdn.cloudflare.net
Address: 104.16.219.84

Non-authoritative answer:
database.clamav.net     canonical name = database.clamav.net.cdn.cloudflare.net
Name:   database.clamav.net.cdn.cloudflare.net
Address: 2606:4700::6810:da54
Name:   database.clamav.net.cdn.cloudflare.net
Address: 2606:4700::6810:db54

bash-5.0# nslookup database.clamav.net 172.11.1.254
Server:         172.11.1.254
Address:        172.11.1.254:53

** server can't find database.clamav.net: REFUSED

** server can't find database.clamav.net: REFUSED

bash-5.0# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.11:33941        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      -
tcp        0      0 :::53                   :::*                    LISTEN      -
udp        0      0 0.0.0.0:53              0.0.0.0:*                           -
udp        0      0 127.0.0.11:36201        0.0.0.0:*                           -
udp        0      0 :::53                   :::*                                -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

When on the unbound host i query 127.0.0.1 interface i get a result, when i query 172.11.1.254 i dont get any answer .

That is not what i expected.

diekuh

My explaination remains.

The unbound container does not use itself (therefore the root DNS servers) for queries. It uses the server as set on your Docker host.

The other containers (like Postfix und Rspamd) should not, never ever, use a public DNS service.

jaco

I have set up pdns on my host. It works as expected.
if i do a dns query inside my unbound container, it works. and i see it in the trace log of my pdns-recursor.

inside the unbound:

bash-5.0# dig database.clamav.net

; <<>> DiG 9.14.12 <<>> database.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21415
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;database.clamav.net.           IN      A

;; ANSWER SECTION:
database.clamav.net.    2       IN      CNAME   database.clamav.net.cdn.cloudflare.net.
database.clamav.net.cdn.cloudflare.net. 242 IN A 104.16.219.84
database.clamav.net.cdn.cloudflare.net. 242 IN A 104.16.218.84

;; Query time: 2 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Jul 02 22:30:14 CEST 2020
;; MSG SIZE  rcvd: 129

that works as expected.

Now as you say rspamd and postfix should use this unbound container for their resolving …
But how can they if the unbound server itself seems to block queries on his mailcow-docker-network ip ??

ash-5.0# dig database.clamav.net @172.11.1.254

; <<>> DiG 9.14.12 <<>> database.clamav.net @172.11.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51050
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 1 msec
;; SERVER: 172.11.1.254#53(172.11.1.254)
;; WHEN: Thu Jul 02 22:32:59 CEST 2020
;; MSG SIZE  rcvd: 12

I had a look at the /etc/unbound.conf file in my unbound container and i see this:

server:
  verbosity: 1
  interface: 0.0.0.0
  interface: ::0
  logfile: /dev/console
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  do-daemonize: no
  #access-control: 0.0.0.0/0 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow
  access-control: fc00::/7 allow
  access-control: fe80::/10 allow
  #access-control: ::0/0 allow
  directory: "/etc/unbound"
  username: unbound

meaning my mailcow network 172.11.1.x is not allowed … so that is why i get the refused on the queries to the unbound ….
but this network is created by the mailcow installation … i didn’t choose this myself.

from the mailcow.conf file (=> .env)

# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)

IPV4_NETWORK=172.11.1

Is that ipv4_network range somewhere generated automatically during install ? Then this is a bug

iacob28

Hi @jaco

Did you find any fix for this issue?