Option A to specify custom DNS server is ignored/does not work #5063

AnnoyingTechnology · 2023-02-16T10:01:29Z

Contribution guidelines

I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Mailcow's documentation offers two methods to specify a custom DNS server.
While the B method does work, the A method doesn't.

Namely : Edit data/conf/unbound/unbound.conf and append the following parameters:

forward-zone:
  name: "."
  forward-addr: 10.10.10.10

A dig to the external DNS server resolves local names properly.
A dig to the unbound DNS container does not resolve these local names that are only available on that external server.

Logs:

dig @10.10.10.10 spamfilter.oceanis

; <<>> DiG 9.16.37-Debian <<>> @10.10.10.10 spamfilter.oceanis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47000
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;spamfilter.oceanis.		IN	A

;; ANSWER SECTION:
spamfilter.oceanis.	3600	IN	A	10.10.10.217

;; Query time: 0 msec
;; SERVER: 10.10.10.10#53(10.10.10.10)
;; WHEN: Thu Feb 16 09:56:45 UTC 2023
;; MSG SIZE  rcvd: 63

dig @172.22.1.254 spamfilter.oceanis

; <<>> DiG 9.16.37-Debian <<>> @172.22.1.254 spamfilter.oceanis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46776
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;spamfilter.oceanis.		IN	A

;; Query time: 4 msec
;; SERVER: 172.22.1.254#53(172.22.1.254)
;; WHEN: Thu Feb 16 09:51:02 UTC 2023
;; MSG SIZE  rcvd: 47

Steps to reproduce:

1. Set up a DNS server, a declare something local to it. Say server.localnetwork
2. Follow method A of mailcow's documentation to use that DNS server for all TLDs.
3. Attempt to resolve server.localnetwork using mailcow's unbound DNS server.

Which branch are you using?

master

Operating System:

Debian 11.6

Server/VM specifications:

6vcore, 8Gb RAM

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

23.0.1

docker-compose version or docker compose version:

v2.16.0

mailcow version:

2022-11

Reverse proxy:

Nginx

Logs of git diff:

iff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf
index 27110c04..a1146c84 100644
--- a/data/conf/unbound/unbound.conf
+++ b/data/conf/unbound/unbound.conf
@@ -43,3 +43,7 @@ remote-control:
   server-cert-file: "/etc/unbound/unbound_server.pem"
   control-key-file: "/etc/unbound/unbound_control.key"
   control-cert-file: "/etc/unbound/unbound_control.pem"
+
+forward-zone:
+  name: "."
+  forward-addr: 10.10.10.10
diff --git a/docker-compose.yml b/docker-compose.yml
index 621eb610..8923b7fb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -49,8 +49,6 @@ services:
         - "${REDIS_PORT:-127.0.0.1:7654}:6379"
       environment:
         - TZ=${TZ}
-      sysctls:
-        - net.core.somaxconn=4096
       networks:
         mailcow-network:
           ipv4_address: ${IPV4_NETWORK:-172.22.1}.249
@@ -319,6 +317,7 @@ services:
         - NET_BIND_SERVICE
       ports:
         - "${SMTP_PORT:-25}:25"
+        - "1587:587"
         - "${SMTPS_PORT:-465}:465"
         - "${SUBMISSION_PORT:-587}:587"
       restart: always
@@ -580,36 +579,6 @@ services:
           aliases:
             - ofelia
 
-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 121K  165M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 121K  165M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
73082  117M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1660  109K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
46449   48M ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1293 83452 ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.2           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:3306
    7   436 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
   16   960 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
  334 23563 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    7   448 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:443
    3   180 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
46449   48M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 193K  187M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
70940   57M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 193K  187M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

no ipv6

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  970 63355 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  643 56653 MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.2           172.22.1.2           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.2:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.8:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    7   436 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
   16   960 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
  339 23899 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    8   512 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.10:443
    3   180 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.10:80

Logs of ip6tables -L -vn -t nat:

no ipv6

DNS check:

151.101.129.69
151.101.65.69
151.101.1.69
151.101.193.69

The text was updated successfully, but these errors were encountered:

milkmaker · 2023-04-17T12:32:05Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2023-04-17T12:55:51Z

Not stale.

milkmaker · 2023-06-17T00:14:49Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2023-06-17T05:17:32Z

Not stale.

milkmaker · 2023-08-17T00:12:36Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2023-08-17T06:00:38Z

Not stale.

AnnoyingTechnology · 2023-09-18T10:08:31Z

Any chance of a fix ?

milkmaker · 2023-11-17T13:06:48Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2023-11-17T13:18:16Z

Any chance of a fix ?

milkmaker · 2024-01-16T14:04:44Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-01-16T15:08:32Z

Not stale, not fixed and no feedback either.

milkmaker · 2024-03-16T16:11:59Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-03-16T16:58:29Z

Not stale, not fixed and no feedback either.

Also, we have just cancelled our support subscription.

milkmaker · 2024-05-16T00:14:31Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-05-16T05:00:15Z

Not stale, not fixed and no feedback either.

milkmaker · 2024-07-15T17:04:01Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-07-15T17:07:47Z

Not stale, not fixed and no feedback either.

milkmaker · 2024-09-14T00:17:06Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-09-14T04:52:40Z

Not stale, not fixed and no feedback either.

milkmaker · 2024-11-13T06:45:36Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

AnnoyingTechnology · 2024-11-13T07:04:05Z

Not stale, not fixed and no feedback either.

Is anyone going to look into this at some point ?
@mkrecek234 @DerLinkman

DerLinkman · 2024-11-13T14:31:08Z

Hi,

so i tried to recreate your issue but i cannot confirm that.

I entered our public DNS resolver:

forward-zone:
  name: "."
  forward-addr: PUBLIC_RESOLVER_IP@53

Restarted unbound and then i can see my servers ip requesting the public dns resolver so as it should.

Maybe the @port-number is necessary even if it should use port 53 DNS?

Can you try that?

AnnoyingTechnology added the bug label Feb 16, 2023

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Apr 17, 2023

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Apr 17, 2023

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Jun 17, 2023

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Jun 17, 2023

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Aug 17, 2023

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Aug 17, 2023

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Nov 17, 2023

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Nov 17, 2023

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Jan 16, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Jan 16, 2024

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Mar 16, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Mar 16, 2024

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label May 16, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label May 16, 2024

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Jul 15, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Jul 15, 2024

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Sep 14, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Sep 14, 2024

milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Nov 13, 2024

milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Nov 13, 2024

DerLinkman added neverstale Bot doesn't mark the issue or PR as stale unconfirmed labels Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Option A to specify custom DNS server is ignored/does not work #5063

Option A to specify custom DNS server is ignored/does not work #5063

AnnoyingTechnology commented Feb 16, 2023 •

edited

Loading

milkmaker commented Apr 17, 2023

AnnoyingTechnology commented Apr 17, 2023

milkmaker commented Jun 17, 2023

AnnoyingTechnology commented Jun 17, 2023

milkmaker commented Aug 17, 2023

AnnoyingTechnology commented Aug 17, 2023

AnnoyingTechnology commented Sep 18, 2023

milkmaker commented Nov 17, 2023

AnnoyingTechnology commented Nov 17, 2023

milkmaker commented Jan 16, 2024

AnnoyingTechnology commented Jan 16, 2024

milkmaker commented Mar 16, 2024

AnnoyingTechnology commented Mar 16, 2024

milkmaker commented May 16, 2024

AnnoyingTechnology commented May 16, 2024

milkmaker commented Jul 15, 2024

AnnoyingTechnology commented Jul 15, 2024

milkmaker commented Sep 14, 2024

AnnoyingTechnology commented Sep 14, 2024

milkmaker commented Nov 13, 2024

AnnoyingTechnology commented Nov 13, 2024

DerLinkman commented Nov 13, 2024

Option A to specify custom DNS server is ignored/does not work #5063

Option A to specify custom DNS server is ignored/does not work #5063

Comments

AnnoyingTechnology commented Feb 16, 2023 • edited Loading

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

milkmaker commented Apr 17, 2023

AnnoyingTechnology commented Apr 17, 2023

milkmaker commented Jun 17, 2023

AnnoyingTechnology commented Jun 17, 2023

milkmaker commented Aug 17, 2023

AnnoyingTechnology commented Aug 17, 2023

AnnoyingTechnology commented Sep 18, 2023

milkmaker commented Nov 17, 2023

AnnoyingTechnology commented Nov 17, 2023

milkmaker commented Jan 16, 2024

AnnoyingTechnology commented Jan 16, 2024

milkmaker commented Mar 16, 2024

AnnoyingTechnology commented Mar 16, 2024

milkmaker commented May 16, 2024

AnnoyingTechnology commented May 16, 2024

milkmaker commented Jul 15, 2024

AnnoyingTechnology commented Jul 15, 2024

milkmaker commented Sep 14, 2024

AnnoyingTechnology commented Sep 14, 2024

milkmaker commented Nov 13, 2024

AnnoyingTechnology commented Nov 13, 2024

DerLinkman commented Nov 13, 2024

AnnoyingTechnology commented Feb 16, 2023 •

edited

Loading