Be careful with update from 2024-07 to 2024-08 leads to dns error in unbound

Sstefan21 · Aug 23, 2024

I read this. I do understand. My opnsense is using unbound as resolver. Because I do know about the problems with external resolvers. There are reasons why a sysadmin forces any device in the LAN to use only the resolver from a firewall.

What I don’t like is drilling holes in a firewall… of course a mail server needs ports (25, 465, 587) to communicate with other mail servers. Why icmp and DNS can’t be used from a firewall, IDK.

Anyway - as I know the pro’s and con’s of my setup, I’ll stay with a forward-zone in the mailcow pointing to the IP of my opnsense.

You didn’t answer to my question, why the healthscript worked before. I didn’t change anything in my firewall. Do you know the reason?

Sstefan21 · Aug 24, 2024

This seems to be the same …

container unbound unhealthy

mailcow communityDiscussion

container unbound unhealthy

U uniquegch

47 11 Nov 20, 2023

satorisage · Sep 23, 2024

I am having this issue with a fresh mailcow install.

After the heathcheck fails, I exec into the container and run the dig command from the healthcheck and get an error

Seems unbound isn’t actually running here? Thoughts/suggestions?

Hh2owasser · Oct 26, 2024

I have the same issue. Manually updating healtchec.sh to @127.0.0.11 solve this healtcheck issue, but unbound is still not workuing correctly for the other docker containers. As i use multiple docker networks i use a non standard IPV4_NETWORK=172.40.1 in mailcow.conf which might correlate with the problem.

Hh2owasser · Oct 26, 2024

h2owasser

Just want to mention that everything works without problems if you insert @127.0.0.11 in healtcheck: sed 's/127.0.0.1 /127.0.0.11 /' ./data/Dockerfiles/unbound/healthcheck.sh > ./data/Dockerfiles/unbound/healthcheck.sh
delete all dns: entries and its items in docker-compose.yml
exec docker build data/Dockerfiles/unbound -t mailcow/unbound:own
add in docker-compose.overwrite.yml:
services: unbound-mailcow: build: ./data/Dockerfiles/unbound image: mailcow/unbound:own
execute update.sh

Gebemsea · Nov 13, 2024

I just upgraded to the November release and had this exact problem. I did find a root cause IN MY SETUP. Sharing in case it helps.

Setup:

Mailcow DNS with forwarding domain to high-powered Pfsense box sitting next to mailcow (no need for two unbounds here).
PFSense configured with NAT to redirect all LAN DNS requests to itself
PFSense running PFBlocker to block outbound DNS-over-HTTP (DOH) and DNS-Over-TCP queries

Issue:

PFBlocker, by default, blocks trafic of ALL Protocols types to the addresses in it’s DOH block lists
Block lists include 1.1.1.1, 8.8.8.8, 9.9.9.9 which Mailcow uses to check the health of Unbound

Solution:

Edit the DOH rule to only block TCP & UDP protocols, thereby allowing ICMP to pass
I can imagin this can occur with other firewall softwares
In PFSense, to do this: PFBlocker -> IP -> IPv4 -> DoH_IP -> Advanced Outbound Firewall Rule Settings ->Custom Protocol -> TCP/UDP

Skittluier · Dec 16, 2024

It seems I’m also experiencing this issue at the moment after fixing my IPv4 issue: Unbound health check and IPv6

mailcow communityDiscussion

Unbound health check and IPv6

Skittluier

Hi all, My server doesn’t ping to IPv4 addresses anymore and only likes IPv6 from now on. Now the unbound-mailcow healthcheck script only pings to IPv4 addresses at the moment. Is there a way for me to adjust something within a config file to make sure these health checks are being done through

6 2 Dec 14, 2024

At the moment I have no clue what to do. Maybe someone else has an idea what I can check before I might ruin things?

Skittluier · Dec 18, 2024

Tagging @DocFraggle here as well. Maybe you know what I should do to debug this properly? Thank you! <3

DocFraggle · Dec 19, 2024

Skittluier Do you have a special setup for you server? Any local firewall running on the host system which may block DNS requests from inside the docker network? The PITA-award-winning selinux enabled?

Skittluier · Dec 19, 2024

DocFraggle Hey DocFraggle! Again, thanks for your swift answer. You definitely deserve that “Moolevel 200”.

Do you have a special setup for you server?
Not that I know. I’m using the Mailcow Docker container, Caddy and Cloudflare for making this entire connection.

Any local firewall running on the host system which may block DNS requests from inside the docker network?
Nope.

The PITA-award-winning selinux enabled?
Yes, SELinux is enabled. Although the state of SELinux is permissive, it doesn’t enforce rules but gives warnings instead.

I do have some more information on this matter. The thing that broke Mailcow for me is my server only giving back an IPv6 address.

I’ve managed to give it an IPv4 address as well now thanks to this thread, but now I’m having that DNS issue: How do I make Ubuntu Server get IPv4 address?

Super User

How do I make Ubuntu Server get IPv4 address?

I'm running Ubuntu Server in VirtualBox. When I select the internal network option for the network adapter and start up the VM, I only get IPv6 address. I need an IPv4 address as well. My host (run...

DocFraggle · Dec 19, 2024

Did you restart the stack after adding the IPv4 address?

docker compose down
docker compose up -d

Skittluier · Dec 19, 2024

DocFraggle Yup, with the help of the update.sh script. This unfortunately didn’t change the situation.

aedankerr · Dec 26, 2024

sadly, i got the same issue

edit: but with a fresh install

DocFraggle · Dec 26, 2024

Which kernel? And which docker version? Local firewall? Selinux?