Unbound Health check not working

centrase

Hi all,

I’m new to Mailcow. it looks really cool so far. I just have an issue with the Unbound container.

I have an new Ubuntu 24.04 that I have the latest mailcow 2025-05 installed on and have done a clean install but my unbound container is refusing to start cleanly due to a healthcheck.sh script not working. it’s checking on 127.0.0.1 and not 127.0.0.11. the .11 is responding correctly but nothing is answering on 127.0.0.1. I have disabled the healthcheck script in the mailcow.conf file and can start everything like that but was trying to troubleshoot this issue.

Steps I have done:
docker compose exec unbound-mailcow /bin/bash
nslookup mailcow.email 127.0.0.1 #this fails
dig mailcow.email @127.0.0.11 # this works
dig mailcow.email @127.0.0.1 # this fails but is the IP that the script is looking at.

Ubuntu system resolver is on 127.0.0.53
the docker container resolver is on 127.0.0.11

any ideas?

DerLinkman

centrase 127.0.0.1 is unbound itself. The healthcheck is checking if unbound itself can resolve dns. If not, it will fail.

There is something wrong on your system as on normal proper systems this check works as it should.

mlcwuser

I encountered a similar issue with Docker on Ubuntu 24.04 in a different context, which I resolved as follows:

mv /etc/resolv.conf /etc/resolv.conf.bak
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
systemctl restart systemd-resolved

I don’t know if this is a proper solution or if uit atcually helps in this specific situation. It may also depend on how Ubuntu was installed. For example, a manual installation from an ISO may behave differently to a cloud-init image used by VPS providers, and the latter may also be configured differently depending on the provider. However, Ubuntu, once again, seems to do things differently to other distributions, creating more issues than benefits for users. Therefore, the best solution would probably be to use Debian instead of Ubuntu. 😉

centrase

Thank you!

I did try a clean install of Debian and mailcow as I am testing and found the same error again. After some playing around I found that if I edited the /opt/mailcow-dockerized/data/conf/unbound/unbound.conf to add
interface 127.0.0.1
access-control:127.0.0.1/32 allow
forward-zone:
name: “.”
forward-addr: 172.31.0.1 #router
forward-addr: 1.1.1.3 #one.one.one.one

it would start cleanly and answer DNS correctly.
the full file looks like:

`server:
verbosity: 1
interface: 127.0.0.1
interface: 0.0.0.0
interface: ::0
logfile: /dev/console
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: no
access-control: 0.0.0.0/0 allow
access-control: 127.0.0.1/32 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
access-control: fc00::/7 allow
access-control: fe80::/10 allow
#access-control: ::0/0 allow
directory: “/etc/unbound”
username: unbound
auto-trust-anchor-file: trusted-key.key
#private-address: 10.0.0.0/8
#private-address: 172.16.0.0/12
#private-address: 192.168.0.0/16
#private-address: 169.254.0.0/16
#private-address: fc00::/7
#private-address: fe80::/10
#cache-min-ttl needs to be less or equal to cache-max-negative-ttl
cache-min-ttl: 5
cache-max-negative-ttl: 60
root-hints: “/etc/unbound/root.hints”
hide-identity: yes
hide-version: yes
max-udp-size: 4096
msg-buffer-size: 65552
unwanted-reply-threshold: 10000
ipsecmod-enabled: no

forward-zone:
name: “.”
forward-addr: 172.31.0.10
forward-addr: 1.1.1.3

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: “/etc/unbound/unbound_server.key”
server-cert-file: “/etc/unbound/unbound_server.pem”
control-key-file: “/etc/unbound/unbound_control.key”
control-cert-file: “/etc/unbound/unbound_control.pem”

hope this helps someone but I haven’t answered why it wasn’t bound to 127.0.0.1 in the first place or why the root hints aren’t working and I needed the forwarders.

centrase

Turns out it had nothing to do with any of this… lol

I have the Ubuntu mailcow instance running in a QEMU KVM virtual server instance and I had “enable shared memory” ticked. as I have other VM’s running it was screwing up all sorts in the mailcow instance. facepalm once I unchecked that in the kvm settings everything started working.

hope this helps someone.