Unable to query mx record for single domain (WARNING: recursion requested)

jzt308

Hi all,
I noticed a strange issue and I can’t find the source.
I have a straightforward mailcow deploy and been running this for a couple of years now rock solild!
Last week I wanted to reply to a email I received lets say from domain a.org.
After some time I got an email from my mailcow install stating it isn’t able to deliver it but, loyal as it is, will keep trying.
Now the message retry period is passed and so it notifies me it was unable to deliver the message.

So now I decided to do some detective work. I noticed the error is

(Host or domain name not found. Name service error for name=a.org type=MX: Host not found, try again)

So I tried a dig executed inside the postfix container for the host sudo docker exec mailcowdockerized-postfix-mailcow-1 dig a.org MX and got a

WARNING: recursion requested but not available

and an empty reply. So executed the same command for a couple of different domains to see what this would do.
So running the command again sudo docker exec mailcowdockerized-postfix-mailcow-1 dig google.com MX and behold it gave a valid reply

google.com. 300 IN MX 10 smtp.google.com.

so tried a couple of others (i.e. microsoft.com; facebook.com etc) no issues here all valid reply’s.
So for some reason resolving a.org wont play.
Next I tried the dig command on the docker host itself this one query’s a local DNS server running pihole and unbound. And behold no issue in querying here dig a.org MX gives a valid response and no warning about the recursion.
So for this specific domain there is an issue querying the MX record from unbound and as a result isn’t able to deliver the email.

The other way around is also interesting as this morning I received a phone call from the a.org organization stating they are unable to reach out to me via email. I suspect the issue here is that my mailcow instance is denying the delivery because it isn’t able to resolve the sender ip (not sure though since I didn’t see the error and wasn’t able to find anything on my side).
Just to be clear all other outgoing and incoming emails are flowing just fine and a query inside loki/grafana viewing the last 7 days show no other domains with this issue only errors like:

Warning: dnsblog_query: lookup error for DNS query 227.56.143.149.bl.ipv6.spameatingmonkey.net: Host or domain name not found, try again
warning: dnsblog_query: lookup error for DNS query 227.56.143.149.b.barracudacentral.org: Host or domain name not found. Name service error for name=227.56.143.149.b.barracudacentral.org type=A: Host not found, try again

Any thoughts/hints that might point me in the right direction would be appreciated.
Thank you!

DocFraggle

jzt308 Warning: dnsblog_query: lookup error for DNS query 227.56.143.149.bl.ipv6.spameatingmonkey.net: Host or domain name not found, try again
warning: dnsblog_query: lookup error for DNS query 227.56.143.149.b.barracudacentral.org: Host or domain name not found. Name service error for name=227.56.143.149.b.barracudacentral.org type=A: Host not found, try again

These are blacklist lookups, so this doesn’t matter.
If only “a.org” is affected, I’m afraid we can’t really help you without knowing the real domain name to start debugging…

jzt308

Hi DocFraggle ,

you are right. I tried to hard to share enough information without disclosing to much but it’s just a domain so here it goes: onderwijsconsulenten.nl

DocFraggle

OK, I tried it with two different mailcow systems, no problems here in looking up the mx records via

docker exec mailcowdockerized-postfix-mailcow-1 dig onderwijsconsulenten.nl MX

So is this an ongoing issue? Are you running the latest version of mailcow? Did you try to restart the stack to see if the issue disappears?

docker compose down
docker compose up -d

jzt308

DocFraggle
Just did restart the entire proxmox host and the mailcow machine was also restarted as part of this (I’am running proxmox with a debian VM. In turn this one runs vanilla docker and mailcow).

So I retried the dig inside postfix but it still doesn’t return a valid MX record (so situation is as described in the opening post. This specific domain gives no response (MX/Cname/A record whatever) and throws a WARNING: recursion requested but not available. But any other domain does return a valid value and won’t show the recursion warning.

Again running the same query against my own DNS stack (pihole/unbound) will give a response so for some reason the unbound container mailcow spins up won’t play.

DocFraggle

You have to restart the stack with the commands I posted above. Restarting the host is not enough

jzt308

I must admit that I don’t understand what the difference is between restarting the mailcow VM (and in effect shutdown and restart the docker service and all containers) and doing it manually (would be interested in the difference) but I just did do it manually as you described.

After running the dig command inside the postfix container still gives the warning and no valid response.

DocFraggle

OK, so maybe it’s a Proxmox problem then… I don’t have any experience with Proxmox though…

jzt308

I dont suspect it is due to my setup. Let me try to clarify.

On the physical device I run VM’s using proxmox as virtualisation layer.
Almost all of these VMs are running (full) debian with vanilla docker install.
The on top I run containers. All VM’s are running standalone docker.
So it’s proxmox > VM (Debian) > Docker > container.

For my DNS setup I run a seperate VM in this setup with unbound and pihole and all internal hosts are using this one for resolving.
My mailcow is proxmox > VM (Debian) > Docker > mailcow stack
Now the VM running the mailcow stack is using the internal pihole/unbound for resolving and the mailcow stack is running unbound itself and uses that unbound container for DNS queries.

If I run dig onderwijsconsulenten.nl MX on the Debian host I use for mailcow (thus querying my internal DNS/Pihole/Unbound) I get a valid responses

If I run the same query inside the postfix or unbound inside mailcow the result is:

However query a different domain inside mailcow postfix

No recursion error and a valid response.

So it is something in my setup (obviously it’s working on your end), but I have no idea where it could be and how to find it.
And just to be clear. I am running the latest/current version of mailcow and we did conclude that restarting the mailcow stack (and entire server as well) is still producing the same result.

DocFraggle

You could check the trace of the lookup, looks like this from within my unbound container:

docker exec mailcowdockerized-postfix-mailcow-1 dig onderwijsconsulenten.nl MX +trace

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> onderwijsconsulenten.nl MX +trace
;; global options: +cmd
.                       52426   IN      NS      m.root-servers.net.
.                       52426   IN      NS      a.root-servers.net.
.                       52426   IN      NS      b.root-servers.net.
.                       52426   IN      NS      c.root-servers.net.
.                       52426   IN      NS      d.root-servers.net.
.                       52426   IN      NS      e.root-servers.net.
.                       52426   IN      NS      f.root-servers.net.
.                       52426   IN      NS      g.root-servers.net.
.                       52426   IN      NS      h.root-servers.net.
.                       52426   IN      NS      i.root-servers.net.
.                       52426   IN      NS      j.root-servers.net.
.                       52426   IN      NS      k.root-servers.net.
.                       52426   IN      NS      l.root-servers.net.
.                       52426   IN      RRSIG   NS 8 0 518400 20250101050000 20241219040000 61050 . r4WBK84pwdPa40wCX/qj4O9u1upz8nY2EqTo2H7ok6vhBVsNNu0W0bMj 8kGZWM015zHpsjhSLe0e22a6x1H5tPE4SJ5/S7xNC9lSS/EVWrGYGshu r3Og4Khr/JIXJx/4lRD0X/7QEXHpfpQNz8DvxrvGNe8o23FJk3jEEHJ6 r/Wck/kDaKGCmQhy34YUC+x8C4fs03ZkTTwT9StnsIXI55+5Vh/Kf4LM vLiy4obELaE3t9ELhKwreTbj+h7OOpWUE6W/k1IlAdYJRbpipLMSgiQq BnwaxbkjVUsK7aEZxmPk4IPo2C/n1xwfkBlJvtcwlCZXIA54uLQX0hkF j8A1Qg==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 0 ms

nl.                     172800  IN      NS      ns4.dns.nl.
nl.                     172800  IN      NS      ns3.dns.nl.
nl.                     172800  IN      NS      ns1.dns.nl.
nl.                     86400   IN      DS      17153 13 2 C5DFDDC91E7532562A35F3C2CD30823894BE08F20101F1ABF45C8AB9 739F3F49
nl.                     86400   IN      RRSIG   DS 8 1 86400 20250101170000 20241219160000 61050 . l+lbwmgtRI+joE+1S/uyTjptW+qQmpi6dkuPjW/WioAmMrJxzNNTRX8o zNr1GU15P6xyXVqtvWFwatqdL+xrjXsi7LMsGV8pb0yz1Imhegm7RyUQ 7v3I+YedAUu1ndl1cC6YQMFotkFUa+vm5L3spP5wEUcbN3QyI4tWBYR5 Q0xYerM+JMIBNWVw8hZPOi7sDbHhuMgVizS6NlsirqMP7pYHaZ/ZH+jJ PU6ORI1aGQbL+1Y9Ek90hTxe53nRzVssSUxXjdcGMcycIyG9Ba1IQmBh AYOyzgLzD1VN6QLD0OkOgXDoKHQYARadjHUJm5feYMYxYIXAHkATDugC c5lPZw==
;; Received 579 bytes from 193.0.14.129#53(k.root-servers.net) in 27 ms

onderwijsconsulenten.nl. 3600   IN      NS      pns41.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns42.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns43.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns44.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      DS      5736 13 2 39BB5A5C14B1988A5FEB30D117103DB2E7D893F2B97BF2A9E77ADF99 586B8798
onderwijsconsulenten.nl. 3600   IN      RRSIG   DS 13 2 3600 20241231142103 20241217040731 8116 nl. 2Yu38FsT8Xwe130VWYOdmTSDT/w4HaJP9MQ794t33vANVJzxX/EWrIPK Tx0KiHwXzA5YcX1Ktv6NdcysSJt7sg==
;; Received 289 bytes from 2620:10a:80ac::200#53(ns4.dns.nl) in 7 ms

onderwijsconsulenten.nl. 3600   IN      MX      30 mx.ictteamwork.eu.
onderwijsconsulenten.nl. 3600   IN      MX      10 mx.ictteamwork.nl.
onderwijsconsulenten.nl. 3600   IN      MX      20 mx.ictteamwork.com.
onderwijsconsulenten.nl. 3600   IN      RRSIG   MX 13 2 3600 20250102135619 20241203135619 54570 onderwijsconsulenten.nl. FR2Kt+8CgBgxY4KoefDlC1dv448GPvYMWqJle4jCVZ/qNuwmSfLeAT+x QKR7GwcRELp6YTuGjSsbiyUS/TF/8w==
onderwijsconsulenten.nl. 3600   IN      NS      pns42.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns41.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns43.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      NS      pns44.cloudns.net.
onderwijsconsulenten.nl. 3600   IN      RRSIG   NS 13 2 3600 20250102135619 20241203135619 54570 onderwijsconsulenten.nl. dF+3ALmbImzHvhPCaXGnb4XFxpN9nm+dUTuwS95w0W/7V495h0dCX7BJ Zk/JbzVqzrzqdlwf4l/m6PnLdpZ6BQ==
;; Received 479 bytes from 2a06:fb00:1::3:79#53(pns43.cloudns.net) in 7 ms

dig is asking the root hints which DNS servers are responsible for .nl, next it asks the *dns.nl servers which dns servers are responsible for onderwijsconsulenten.nl and finally can resolve the MX entry.

jzt308

Thank you. So I can confirm that running a trace on my “own” DNS gives exactly the same result as you posted.
However running the same command inside postfix shows something different

So at first sight the difference is the last part. On the internal server it tries at step 1 to resolve using IPV6 (I am not using it)
Then at step 2 it fallsback to IPv4 and gets the required information at step 3.

From the mailcow unbound it fails at IPV6 and gives up.

When doing a trace on an other name this is the result.
It also sees the IPV6 address wont work and uses ipv4 and does get a valid response

DocFraggle

You can try to disable IPv6 if you don’t use it at all:

https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/

jzt308

Ok I followed the instructions provided and disabled IPV6 entirely.
However the response was the same. In the dig trace it didn’t show the IPv6 step anymore, but it didn’t get an ip.

This got me thinking that it must be something else but no idea what.

All my machines are behind a firewall (OPNsense) but my normal unbound had no issues resolving but mailcow unbount did… So it’s not a port limitation because other lookups have no issues. I checked the IDS/IPS logs and behold:
There is a surricata rule blocking queries to this domain. Changed the rule to warn instead of block and reloaded the rules and … it’s like magic… it works

So thank you for the help. Learned something about the dig command and IDP/IPS. This one is solved.