Mailcow-dockerized: dns not working inside container
I finished today installing mailcow and when testing delivery i found that all containers other then unbound do not have working dns.
It seems the -dns option is not being taken into account and all instances have the dns set to 127.0.0.11 rather then 172.22.1.254
Centos 7
docker -v
Docker version 17.06.0-ce, build 02c1d87
docker-compose version 1.15.0, build e12f3b9
Postfix Log
804FE6641633: to=x@tutanota.com, relay=none, delay=3613, delays=3588/5.1/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=tutanota.com type=MX: Host not found, try again)
docker exec -it 62b53245e61d bash
root@zeus:/# cat /etc/resolv.conf
search mailcow-network
nameserver 127.0.0.11
options ndots:0
maydaylive
All 13 comments
Dns being set to nameserver 127.0.0.11 is normal in the containers the request still gets sent to Unbound at 172.22.1.254.
Is unbound container running.
K2rool
on 10 Aug 2017
I Have the same problem, log from postfix
C5BAC5C0028: to=email@adress.com, relay=none, delay=88277, delays=88257/0.02/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=adress.com type=MX: Host not found, try again)
27b9500f7dee mailcow/rspamd:1.3 "/docker-entrypoin..." 17 minutes ago Up 17 minutes mailcowdockerized_rspamd-mailcow_1
bac664953882 nginx:mainline-alpine "/bin/sh -c 'envsu..." 17 minutes ago Up 17 minutes (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp mailcowdockerized_nginx-mailcow_1
24f421aa6e19 mailcow/fail2ban:1.5 "python2 -u /logwa..." 17 minutes ago Up 17 minutes mailcowdockerized_fail2ban-mailcow_1
aa4f08f8de64 mailcow/phpfpm:1.0 "/docker-entrypoin..." 17 minutes ago Up 17 minutes 9000/tcp mailcowdockerized_php-fpm-mailcow_1
8027a088f948 mailcow/postfix:1.2 "/bin/sh -c 'exec ..." 17 minutes ago Up 17 minutes 0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp, 588/tcp mailcowdockerized_postfix-mailcow_1
d0dba3ef0bcf mailcow/sogo:1.3 "/bin/sh -c 'exec ..." 17 minutes ago Up 17 minutes mailcowdockerized_sogo-mailcow_1
4e5ee8252881 redis:alpine "docker-entrypoint..." 17 minutes ago Up 17 minutes 6379/tcp mailcowdockerized_redis-mailcow_1
3892ae44a0cd memcached:alpine "docker-entrypoint..." 17 minutes ago Up 17 minutes 11211/tcp mailcowdockerized_memcached-mailcow_1
56ca9cc70377 mailcow/dovecot:1.4 "/docker-entrypoin..." 17 minutes ago Up 17 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 24/tcp, 10001/tcp, 0.0.0.0:4190->4190/tcp, 127.0.0.1:19991->12345/tcp mailcowdockerized_dovecot-mailcow_1
e7a200ae4091 mailcow/unbound:1.0 "/docker-entrypoin..." 17 minutes ago Up 17 minutes (healthy) 53/tcp, 53/udp mailcowdockerized_unbound-mailcow_1
8c635a52953b mariadb:10.1 "docker-entrypoint..." 17 minutes ago Up 17 minutes (healthy) 3306/tcp mailcowdockerized_mysql-mailcow_1
cf858e9f1432 mailcow/clamd:1.1 "/bootstrap.sh" 17 minutes ago Up 17 minutes 3310/tcp mailcowdockerized_clamd-mailcow_1
4135420b000c robbertkl/ipv6nat "/docker-ipv6nat -..." 17 minutes ago Up 17 minutes mailcowdockerized_ipv6nat_1
rafix1989
on 17 Aug 2017
I test my mailserver and it's not working on specific domains. Most of messages goes ok , but several of them shows this error.
C5BAC5C0028: [email protected], relay=none, delay=88277, delays=88257/0.02/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=adress.com type=MX: Host not found, try again)
This is very strange. What do you think andryyy ???
rafix1989
on 17 Aug 2017
I got into the same issue - unbound is actually not able to resolve any DNS request.
No matter what I try there, I getting on nslookup google.com 127.0.0.1 an:
;; connection timed out; no servers could be reached
Only way for me to getting currently around it is by setting an forward-zone in unbound config file:
forward-zone:
name: "."
forward-addr: 127.0.0.11
forward-addr: 2a01:4f8:0:a0a1::add:1010
forward-addr: 2a01:4f8:0:a111::add:9898
forward-addr: 2a01:4f8:0:a102::add:9999
Which will lead to docker dns recursor and then to the dns recursor of my hoster. But probably this is not an good solution.
After that change for sure mails were able to get in and out again as in usual behavior.
askanhesse
on 20 Oct 2017
Does your hoster block DNS requests (UDP port 53) to any server but his own resolvers? Do you have iptables rules on the host that limit DNS traffic?
mkuron
on 21 Oct 2017
The hoster in this situation is Hetzner, as far as I know other resolvers are not blocked. For example I can also use OpenDNS without any problems while Google DNS seems to block requests from the IP range.
I have not configurated any IPTables rules that can affect DNS requests to the outside world.
askanhesse
on 22 Oct 2017
I also had DNS issues on a Hetzner server, did not had the time to analyze it in detail, but the cause was the enabled firewall. After disabling the firewall in the Hetzner robot, it works like expected. Unfortunately Hetzner does not provide any firewall logs :-(
snc
on 22 Oct 2017
@snc Oh, thats interesting. I will take a look the next couple days if this could be the issue for me since I am currently also use the Hetzner Firewall. Thanks! 馃憤
askanhesse
on 22 Oct 2017
@snc I tested this behavior and you're right. After disabling the Hetzner Service Firewall there is no problem anymore with resolving DNS over unbound even without changing the default config.
This could be in general just an environment problem. Thank you for your Help!
askanhesse
on 26 Oct 2017
For all who are struggling with the Hetzner firewall:
Port 53 unimportant for the firewall configuration in this case. According to the documentation unbound uses the port range 1024-65535 for outgoing requests.
Since the Hetzner Robot Firewall is a static firewall (each incoming packet is checked isolated) - the following rules must be applied:
For TCP
SRC-IP: ---
DST IP: ---
SRC Port: ---
DST Port: 1024-65535
Protocol: tcp
TCP flags: ack
Action: Accept
For UDP
SRC-IP: ---
DST IP: ---
SRC Port: ---
DST Port: 1024-65535
Protocol: udp
Action: Accept
If you want to apply a more restrictive port range you have to change the config of unbound first:
{mailcow-dockerized}/data/conf/unbound/unbound.conf:
outgoing-port-avoid: 0-32767
Now the firewall rules can be adjusted as follows:
[...]
DST Port: 32768-65535
[...]
chermsen
on 5 Mar 2019
Nice. Should add this to the docs (tm).
andryyy
on 5 Mar 2019
Is anybody willing to create a PR? 馃槃 Pleeeease.
andryyy
on 5 Mar 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 5 May 2019
Related issues
thannaske
路
3Comments
pgollor
路
3Comments
poldixd
路
3Comments
K2rool
路
3Comments
lgleim
路
3Comments
Most helpful comment
For all who are struggling with the Hetzner firewall:
Port 53 unimportant for the firewall configuration in this case. According to the documentation unbound uses the port range 1024-65535 for outgoing requests.
Since the Hetzner Robot Firewall is a static firewall (each incoming packet is checked isolated) - the following rules must be applied:
For TCP
For UDP
If you want to apply a more restrictive port range you have to change the config of unbound first:
{mailcow-dockerized}/data/conf/unbound/unbound.conf:
outgoing-port-avoid: 0-32767Now the firewall rules can be adjusted as follows: