This seems to be the same …
EnglishBe careful with update from 2024-07 to 2024-08 leads to dns error in unbound
a month later
I am having this issue with a fresh mailcow install.
After the heathcheck fails, I exec into the container and run the dig command from the healthcheck and get an error 
Seems unbound isn’t actually running here? Thoughts/suggestions?
a month later
I have the same issue. Manually updating healtchec.sh to @127.0.0.11 solve this healtcheck issue, but unbound is still not workuing correctly for the other docker containers. As i use multiple docker networks i use a non standard IPV4_NETWORK=172.40.1 in mailcow.conf which might correlate with the problem.
- Edited
Just want to mention that everything works without problems if you insert @127.0.0.11 in healtcheck:
sed 's/127.0.0.1 /127.0.0.11 /' ./data/Dockerfiles/unbound/healthcheck.sh > ./data/Dockerfiles/unbound/healthcheck.shdelete all
dns:entries and its items indocker-compose.ymlexec
docker build data/Dockerfiles/unbound -t mailcow/unbound:ownadd in
docker-compose.overwrite.yml:
services:
unbound-mailcow:
build: ./data/Dockerfiles/unbound
image: mailcow/unbound:ownexecute
update.sh
18 days later
I just upgraded to the November release and had this exact problem. I did find a root cause IN MY SETUP. Sharing in case it helps.
Setup:
- Mailcow DNS with forwarding domain to high-powered Pfsense box sitting next to mailcow (no need for two unbounds here).
- PFSense configured with NAT to redirect all LAN DNS requests to itself
- PFSense running PFBlocker to block outbound DNS-over-HTTP (DOH) and DNS-Over-TCP queries
Issue:
- PFBlocker, by default, blocks trafic of ALL Protocols types to the addresses in it’s DOH block lists
- Block lists include 1.1.1.1, 8.8.8.8, 9.9.9.9 which Mailcow uses to check the health of Unbound
Solution:
- Edit the DOH rule to only block TCP & UDP protocols, thereby allowing ICMP to pass
- I can imagin this can occur with other firewall softwares
- In PFSense, to do this: PFBlocker -> IP -> IPv4 -> DoH_IP -> Advanced Outbound Firewall Rule Settings ->Custom Protocol -> TCP/UDP
a month later
- Edited
It seems I’m also experiencing this issue at the moment after fixing my IPv4 issue: 
Unbound health check and IPv6 mailcow community
At the moment I have no clue what to do. Maybe someone else has an idea what I can check before I might ruin things? 
Tagging @DocFraggle here as well. Maybe you know what I should do to debug this properly? Thank you! <3
Skittluier Do you have a special setup for you server? Any local firewall running on the host system which may block DNS requests from inside the docker network? The PITA-award-winning selinux enabled?
- Edited
DocFraggle Hey DocFraggle! Again, thanks for your swift answer. You definitely deserve that “Moolevel 200”.
Do you have a special setup for you server?
Not that I know. I’m using the Mailcow Docker container, Caddy and Cloudflare for making this entire connection.
Any local firewall running on the host system which may block DNS requests from inside the docker network?
Nope.
The PITA-award-winning selinux enabled?
Yes, SELinux is enabled. Although the state of SELinux is permissive, it doesn’t enforce rules but gives warnings instead.
I do have some more information on this matter. The thing that broke Mailcow for me is my server only giving back an IPv6 address.
I’ve managed to give it an IPv4 address as well now thanks to this thread, but now I’m having that DNS issue: How do I make Ubuntu Server get IPv4 address?
Super User
Did you restart the stack after adding the IPv4 address?
docker compose down
docker compose up -dDocFraggle Yup, with the help of the update.sh script. This unfortunately didn’t change the situation.
7 days later
- Edited
sadly, i got the same issue
edit: but with a fresh install
Which kernel? And which docker version? Local firewall? Selinux?
No one is typing