Setup Error - "queryNs ETIMEOUT"

kk_cloudron

@joseph Hi I have the same problem, only I don't think it's a firewall problem because I haven't changed anything and I assume that Cloudron manages the firewall so that everything works fine.
Anyways: I am running Cloudron v8.0.6 (Ubuntu 24.04 LTS) and the command host -t NS {{domain.tld}} 127.0.0.150 gives me the following message:

Any ideas what I could try?

Thanks a lot!

nebulon

@kk_cloudron can you check in the services view if unbound is running? The error indicates that it is not.

You can also check this via SSH using systemctl status unbound

kk_cloudron

@nebulon Thank you, the unbound service is not running and don't starts when I trigger the restart in the services.
In the logs I see related messages (i guess)

at genericNodeError (node:internal/errors:984:15)
at wrappedFn (node:internal/errors:538:14)
at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:518:28)
at maybeClose (node:internal/child_process:1105:16)
at Socket.<anonymous> (node:internal/child_process:457:11)
at Socket.emit (node:events:518:28)
at Pipe.<anonymous> (node:net:337:12) {
	code: 3,
	killed: false,
	signal: null,
	cmd: 'systemctl is-active unbound'
}
Nov 13 14:55:55 box:shell statusUnbound: systemctl with args is-active unbound errored Error: Command failed: systemctl is-active unbound

Could that help to solve the Problem?

kk_cloudron

And this from the Service log:

systemd[1]: Starting unbound.service - Unbound DNS Resolver...
systemd[1]: unbound.service: Control process exited, code=exited, status=203/EXEC
systemd[1]: unbound.service: Failed with result 'exit-code'.

kk_cloudron

Via SSH the command cloudron-support --troubleshoot returned

[WARN]  Domain [domain.tld] expiry check skipped because whois does not have this information
        unbound is down. updating root anchor to see if it fixes it

kk_cloudron

I searched how to updating root achor and found this thread: https://forum.cloudron.io/topic/12496/unbound-anchor-not-found-in-ubuntu-24-04/2

When I run apt list --installed | grep unbound there is an entry unbound/noble-updates,noble-security,now 1.19.2-1ubuntu3.3 amd64 [installed].

When I check for installable unbound packages, there are two:

unbound/noble-updates,noble-security,now 1.19.2-1ubuntu3.3 amd64 [installed]
unbound/noble 1.19.2-1ubuntu3 amd64

Do I need to install the second too?

joseph

I don't think it's an apt package / update issue. Something is causing unbound to not run error (it's an EXEC error). Do you have SELINUX or something like that enabled (this is what some stackoverflow posts suggest for that error).

Are you able to run /usr/sbin/unbound -dv manually?

kk_cloudron

@joseph

root@...:~# /usr/sbin/unbound -dv
[1731569630] unbound[455868:0] notice: Start of unbound 1.19.2.

nebulon

that seems to start then. So systemctl restart unbound still fails? If so not sure what the issue is then, we just install unbound from Ubuntu, this is not specific to Cloudron then unless you have changed the unbound configs maybe.

You may also try, just to be sure to reinstall unbound and depending on ubuntu version also unbound-anchor:

apt reinstall  unbound unbound-anchor

kk_cloudron

Hello Nebulon,
yes, the restart still fails. When I run the reinstall command, a message appears that two new packages are being installed: libunbound8 and unbound-anchor.
So could this be the problem?

If I have changed any configurations, I don't know how, because normally I don't access the server via ssh, but let cloudron manage everything. I only use ssh for disk adjustments or specific instructions from the Cloudron interface.

However. I have started the reinstallation and will wait and see. It is currently taking a while (approx. 5 minutes). The latest message is Setting up unbound (1.19.2-1ubuntu3.3) ...

Thanks for the inputs so far !

kk_cloudron

This post is deleted!

kk_cloudron

Solved! Thanks a lot! (re)installation works.

Do I have to pay attention to any follow-up measures? Or can I leave the administration to Cloudron again?

nebulon

Great. No further things should be required. Maybe some ubuntu dist-upgrade in the past didn't go as planned and something messed with the unbound installation. But glad it got solved.

potemkin_ai

Got the same problem on vanilla Ubuntu 24.04, reinstall didn't help.
status give all green, host command fails though:

# host -t NS apple.com 127.0.0.150
;; communications error to 127.0.0.150#53: timed out
Using domain server:
Name: 127.0.0.150
Address: 127.0.0.150#53
Aliases:

Host apple.com not found: 2(SERVFAIL)

joseph

Have you tried with just vanilla Ubuntu 24.04 and without Cloudron? I suspect the problem is something network related since this works on all the VPS providers. Besides Cloudron configuration is just apt install unbound-server and the config file - https://git.cloudron.io/platform/box/-/tree/master/setup/start/unbound?ref_type=heads . Nothing else is done.

potemkin_ai

@joseph I can't uninstall cloudron, but plain host apple.com works perfectly fine!

potemkin_ai

[4776:0] error: udp connect failed: Network is unreachable for 2001:500:2::c port 53 (len 28)
guess that's a reasonable error for the case when IPv6 is disabled?

do-ip6: no in config doesn't help thought...

potemkin_ai

That is quite embarrassing... I am blocked at the setup process of fresh cloudron on a fresh ubuntu for a few hours...

And that is all due to # Unbound is used primarily for RBL queries (host 2.0.0.127.zen.spamhaus.org) - which is not quite true / right anymore as well?

Gengar

@potemkin_ai & @kk_cloudron

On my side I was also having the issue "queryNs ETIMEOUT" , and it was because my outbound UDP port 53 was not open.

I just had to add it like that on my Hetzner Cloud Firewall :