Monthly Archives: June 2026

Networking, Web

Fix mailcow unbound DNS resolution failed healthcheck

Leave a comment

I tried to spin up a vanilla mailcow-dockerized setup but couldn’t get it to come up. Logs said that the DNS checks for unbound were failing

Healthcheck: DNS Resolution Failed on attempt 1 for github.com

I tried all sorts of things to no avail. Querying the dns on my host as well as via bash in the container itself worked. What eventually fixed it was modifying the unbound conf to allow 127.0.01 and set my upstream DNS servers (thanks to this post)

#In access control block
 access-control: 127.0.0.1/32 allow

#Right before remote control section
forward-zone:
  name: "."
  forward-addr: <IP_OF_DNS_SERVER_1>
  forward-addr: <IP_OF_DNS_SERVER_2>

The full config is as follows:

server:
  verbosity: 1
  interface: 0.0.0.0
  interface: ::0
  logfile: /dev/console
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  do-daemonize: no
  #access-control: 0.0.0.0/0 allow
  access-control: 127.0.0.1/32 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow
  access-control: fc00::/7 allow
  access-control: fe80::/10 allow
  #access-control: ::0/0 allow
  directory: "/etc/unbound"
  username: unbound
  auto-trust-anchor-file: trusted-key.key
  #private-address: 10.0.0.0/8
  #private-address: 172.16.0.0/12
  #private-address: 192.168.0.0/16
  #private-address: 169.254.0.0/16
  #private-address: fc00::/7
  #private-address: fe80::/10
  # cache-min-ttl needs to be less or equal to cache-max-negative-ttl
  cache-min-ttl: 5
  cache-max-negative-ttl: 60
  root-hints: "/etc/unbound/root.hints"
  hide-identity: yes
  hide-version: yes
  max-udp-size: 4096
  msg-buffer-size: 65552
  unwanted-reply-threshold: 10000
  ipsecmod-enabled: no

  forward-zone:
  name: "."
  forward-addr: <DNS_IP_1>
  forward-addr: <DNS_IP_2>

remote-control:
  control-enable: yes
  control-interface: 127.0.0.1
  control-port: 8953
  server-key-file: "/etc/unbound/unbound_server.key"
  server-cert-file: "/etc/unbound/unbound_server.pem"
  control-key-file: "/etc/unbound/unbound_control.key"
  control-cert-file: "/etc/unbound/unbound_control.pem"

Restart the docker-compose stack after modifying. Success!