Be careful with update from 2024-07 to 2024-08 leads to dns error in unbound

stefan21

This seems to be the same …

https://community.mailcow.email/d/2977-container-unbound-unhealthy/47

satorisage

I am having this issue with a fresh mailcow install.

After the heathcheck fails, I exec into the container and run the dig command from the healthcheck and get an error

Seems unbound isn’t actually running here? Thoughts/suggestions?

h2owasser

I have the same issue. Manually updating healtchec.sh to @127.0.0.11 solve this healtcheck issue, but unbound is still not workuing correctly for the other docker containers. As i use multiple docker networks i use a non standard IPV4_NETWORK=172.40.1 in mailcow.conf which might correlate with the problem.

h2owasser

Just want to mention that everything works without problems if you insert @127.0.0.11 in healtcheck: sed 's/127.0.0.1 /127.0.0.11 /' ./data/Dockerfiles/unbound/healthcheck.sh > ./data/Dockerfiles/unbound/healthcheck.sh
delete all dns: entries and its items in docker-compose.yml
exec docker build data/Dockerfiles/unbound -t mailcow/unbound:own
add in docker-compose.overwrite.yml:
services: unbound-mailcow: build: ./data/Dockerfiles/unbound image: mailcow/unbound:own
execute update.sh

Gebemsea

I just upgraded to the November release and had this exact problem. I did find a root cause IN MY SETUP. Sharing in case it helps.

Setup:

Mailcow DNS with forwarding domain to high-powered Pfsense box sitting next to mailcow (no need for two unbounds here).
PFSense configured with NAT to redirect all LAN DNS requests to itself
PFSense running PFBlocker to block outbound DNS-over-HTTP (DOH) and DNS-Over-TCP queries

Issue:

PFBlocker, by default, blocks trafic of ALL Protocols types to the addresses in it’s DOH block lists
Block lists include 1.1.1.1, 8.8.8.8, 9.9.9.9 which Mailcow uses to check the health of Unbound

Solution:

Edit the DOH rule to only block TCP & UDP protocols, thereby allowing ICMP to pass
I can imagin this can occur with other firewall softwares
In PFSense, to do this: PFBlocker -> IP -> IPv4 -> DoH_IP -> Advanced Outbound Firewall Rule Settings ->Custom Protocol -> TCP/UDP

Skittluier

It seems I’m also experiencing this issue at the moment after fixing my IPv4 issue: https://community.mailcow.email/d/4346-unbound-health-check-and-ipv6

At the moment I have no clue what to do. Maybe someone else has an idea what I can check before I might ruin things? 🤔

Skittluier

Tagging @DocFraggle here as well. Maybe you know what I should do to debug this properly? Thank you! <3

DocFraggle

Skittluier Do you have a special setup for you server? Any local firewall running on the host system which may block DNS requests from inside the docker network? The PITA-award-winning selinux enabled?

Skittluier

DocFraggle Hey DocFraggle! Again, thanks for your swift answer. You definitely deserve that “Moolevel 200”.

Do you have a special setup for you server?
Not that I know. I’m using the Mailcow Docker container, Caddy and Cloudflare for making this entire connection.

Any local firewall running on the host system which may block DNS requests from inside the docker network?
Nope.

The PITA-award-winning selinux enabled?
Yes, SELinux is enabled. Although the state of SELinux is permissive, it doesn’t enforce rules but gives warnings instead.

I do have some more information on this matter. The thing that broke Mailcow for me is my server only giving back an IPv6 address.

I’ve managed to give it an IPv4 address as well now thanks to this thread, but now I’m having that DNS issue: https://superuser.com/questions/237057/how-do-i-make-ubuntu-server-get-ipv4-address/237122#237122

DocFraggle

Did you restart the stack after adding the IPv4 address?

docker compose down
docker compose up -d

Skittluier

DocFraggle Yup, with the help of the update.sh script. This unfortunately didn’t change the situation.

aedankerr

sadly, i got the same issue

edit: but with a fresh install

DocFraggle

Which kernel? And which docker version? Local firewall? Selinux?

« Previous Page