unbound fails to resolve DNS due to Hetzner Firewall

xosofox

Hi,

I’m really struggeling to understand the reason why, but my unbound is always starting unhealthy when I activate the Hetzner Firewall on my setup.

I had to enable INCOMING icmp to my docker host so the ping checks work.
Now it still looks like the server cannot resolve DNS, even though all outbound connections/traffic are allowed. (as well es the famous return ports with TCP ack)

If I run dig +short +timeout=2 +tries=1 email.mailcow @127.0.0.1
I get ;; communications error to 127.0.0.1#53: timed out

If I disable the Hetzner Firewall (which I only like to do for a short time…) it seems to work.

Any idea on what INCOMING?? Port config I might be missing?

DocFraggle

Yes, you have to add extra rules for that, see https://docs.mailcow.email/getstarted/prerequisite-system/#important-for-hetzner-firewalls

xosofox

Thanks for the info, seems this one got lost during a recent fireall update on our side.

Here is screenshot of the rules that have to be set on the “old school” server firewall, not cloud one. Maybe this might be worth an addition to the docs as I did spend a couple of tries to figure this out (* did not work for protocol)

Here

Now, the lost connection in the firewall did have some bad side effects. Obviously all incoming mail of the last days since the change did get dropped because postfix could not resolve the sender host (including gmail.com etc…)
I assume there is no way to get them back, even from the daily backups, right?

Better Screenshot

BornDeranged

Chiming in here… I am also with Hetzner, I am using a Hetzner firewall, and I do not experience any of those problems. Container is healthy, logs are happy, I’m trying to understand what I am missing?

Here are firewall definitions:

Regards,
-Patrick

IdrisK

Hint: Hetzner Cloud Firewall is a statefull firewall. The firewall for dedicated servers is a stateless firewall.

BornDeranged

IdrisK Right, I haven’t used dedicated servers so I didn’t know that. Thanks for the hint.