How to properly disable "Unbound" in "docker compose" scenario?

ralfbergs

Hi there.

I’m running Bind as my recursive resolver (and also as an authoritative server for several dozens of domains). I configured mailcow as described here (“Method B”) to use my own nameserver.

How can I disable the Unbound container? I don’t want to waste resources by it being started anyway.

I know how I can stop the container, but I don’t want to manually do this all the time. Nor do I want to fiddle with my docker-compose.yml file. Is there a flag I could simply add to some config file to disable Unbound?

Many thanks in advance for your help.

Kind regards,

Ralf

esackbauer

you can’t completely disable it (without breaking something, or maintaining your own fork). Its actually an integral part, doing recursive lookups and DNSSEC checking.
There is a reason this was added as mail services are very picky on DNS (DNSBL will block you eventually if not recursing) and not to rely on someone elses configuration.
I don’t think that the effort to disable it and save some MB RAM is worth to disable it and have potential problems with future upgrades.

ralfbergs

esackbauer Thank you for your swift response.

I’m aware of the importance of DNS, and I completely get your point about not fiddling with DNS. :-)

(My recursive resolving and caching nameserver is not using any forwarders, it’s directly talking to root nameservers and the delegated TLD nameservers.)

The reason why I switched to my own nameserver is frequent errors like the below I found in the logs:

time="2025-07-09T23:43:45.281926136Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:172.23.1.253:38963" dns-server="udp:172.23.1.254:53" error="read udp 172.23.1.253:38963->172.23.1.254:53: i/o timeout" question=";96.211.203.35.hostkarma.junkemailfilter.com.\tIN\t A"

As you can see from the target IP address, it’s Unbound which is not responding in time, and it’s the Postfix container trying to query it.

This mailcow instance it not even operational yet (I’m currently testing it to make sure everything is ok), still I’m getting DNS issues. That is very concerning, and I know that my own Bind is bullet-proof which is why I would like to use it.

Method B which I pointed to in my original post is an official method to bypass Unbound, so I plan to continue using it. If there is no “official” method to also disable the Unbound container itself, I can easily live with that, the resources wasted for sure are pretty limited, and my server has 64 GB of RAM, so it’s not a big issue. I just wanted to have it cleaned up by disabling it, but if that’s a problem I can live with it. :-)

Best regards,

Ralf