can't install cloudron due to unbound issues
-
I've tried to ask for the support via e-mail, but have been asked to post the problem here for the sake of SEO friendliness.
Ok, so here is the problem: vanilla Ubuntu 24.04 or 22.04, can't install vanilla Cloudron, as unbound is failing to resolve any domains at all (and it's only needed to do SpamHause like checks, but that also can't be resolved for quite some time now)
I've provided all of the information at the forum thread: https://forum.cloudron.io/topic/12145/setup-error-queryns-etimeout/20
I would appreciate any technical assistance from Cloudron team, as I'm trying to work-around DNS issues for a few weeks now and now I'm completely stale, as I can't even install new instance.
Shall anyone - from e-mail support or here or via pager help me - that would be fantastic.
And I'm on a Pro plan. -
J joseph marked this topic as a question
-
J joseph referenced this topic
-
Mmm, we have a regular stream of installations and I am sure there is no general issue. FWIW, I even installed it afresh on DO just now and it works fine.
Do you mean the
cloudron-setupscript itself fails? What is the error message and where does it fail? There is a log file in /var/log/cloudron-setup.log . Maybe any insights there. Unbound is not used since Cloudron 8 for normal DNS resolution (maybe you are installing pre-Cloudron 8?).root@ubuntu-s-1vcpu-2gb-sfo3-01:~# host -t NS apple.com 127.0.0.150 Using domain server: Name: 127.0.0.150 Address: 127.0.0.150#53 Aliases: apple.com name server d.ns.apple.com. apple.com name server a.ns.apple.com. apple.com name server b.ns.apple.com. apple.com name server c.ns.apple.com. root@ubuntu-s-1vcpu-2gb-sfo3-01:~# host apple.com 127.0.0.150 Using domain server: Name: 127.0.0.150 Address: 127.0.0.150#53 Aliases: apple.com has address 17.253.144.10 apple.com has IPv6 address 2620:149:af0::10 apple.com mail is handled by 20 mx-in-vib.apple.com. apple.com mail is handled by 10 mx-in.g.apple.com. apple.com mail is handled by 20 mx-in-ma.apple.com. apple.com mail is handled by 20 mx-in-rn.apple.com. apple.com mail is handled by 20 mx-in-sg.apple.com. apple.com mail is handled by 20 mx-in-hfd.apple.com. -
@joseph, as described in the issue earlier, referenced in my original thread earler, I'm installing latest cloudron instance (the one that is fetched with your original script from the site) and I'm receiving error 'queryNs ETIMEOUT mydomain.com'.
I'd like to reiterate that I've provided all of the information required at the thread earlier: https://forum.cloudron.io/topic/12145/setup-error-queryns-etimeout/20 - would you mind re-checking it please?
-
I can't think of a reason why NS query will fail (unbound is quite mature software). It makes even less sense that normal host command works because to resolve the IP, first you need the NS to work!
The way I see it, if you want to get to the bottom of this, you have to just install fresh ubuntu, then
apt install unbound unbound-anchor. And then check why unbound is not resolving and report this to your VPS provider.Alternately, to move along ignoring the problem, put something like below and systemctl restart unbound . This most likely works because the VPS provider put in effort to make it work with Cloudflare/Google DNS . You can also just change it to whatever the default DNS server of your VPS is.
root@my:~# cat /etc/unbound/unbound.conf.d/forward-everything.conf forward-zone: name: "." forward-addr: 1.1.1.1 forward-addr: 8.8.8.8The above will cause SpamHaus resolutions to fail since Zen does not like Google/Cloudflare requests. For this, you have to get to the bottom of why unbound is unable to resolve on a fresh VPS (just to remove Cloudron from the equation)
-
@joseph , a very fresh machine with no firewall, whatsover fails the very same way; not sure what I can bring to the cloud provider, as 1.1.1.1 works and all of the other services I have there works just fine!
Another reason that it doesn't seem to be related to the cloud provider, is that with the config file you offered - I'm getting the very same error from unbound!
-
The following config file works on a fresh installed Ubuntu, but not on Cloudron:
server: # can be uncommented if you do not need user privilege protection # username: "" # can be uncommented if you do not need file access protection # chroot: "" # location of the trust anchor file that enables DNSSEC. note that # the location of this file can be elsewhere # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" # auto-trust-anchor-file: "/var/lib/unbound/root.key" # send minimal amount of information to upstream servers to enhance privacy qname-minimisation: yes # specify the interface to answer queries from by ip-address. interface: 127.0.0.150 # interface: ::0 # addresses from the IP range that are allowed to connect to the resolver access-control: 0.0.0.0/0 allow # access-control: 2001:DB8/64 allow -
btw, I wonder why didn't you add
qname-minimisation? -
btw #2: here is the command to quickly verify unbound configuration
unbound -d -vvvvv -c my.conf- as per unbound docs. -
ah very nice. so @potemkin_ai , the completel unbound config cloudron uses is:
server: port: 53 interface: 127.0.0.150 ip-freebind: yes do-ip6: yes access-control: 127.0.0.1 allow cache-max-negative-ttl: 30 cache-max-ttl: 300 prefer-ip4: yes # enable below for logging to journalctl -u unbound # verbosity: 5 # log-queries: yes # https://github.com/NLnetLabs/unbound/issues/806 remote-control: control-enable: noI removed some lines (because it requires docker) but does it work with the above config?
-
@joseph , nop - it doesn't... that's what I keep saying for a few hours now - vanilla cloudron & vanilla ubuntu - I didn't touch a thing - and yeah, that's a config I've seen, with the only exception that prefer-ip4 option is in separate file (for the reasons I didn't find a confirmation for).
I've tried to migrated working config from ubuntu machine without cloudron to the machine with cloudron and it fails
-
If you can narrow down which config option breaks it in your environment, we can investigate further, but since we have no setup where it fails there is not very much for us to look into besides guessing.
Maybe something about the
access-control? -
@nebulon, the things is that it's your config... Like you've seen - I've made unbound working on vanilla Ubuntu. But the very same config fails on Ubuntu with Cloudron setup on it...
I can setup a dedicated server so that you can check it on your own - with or without just
cloudron-setup, injecting your support ssh keys, if you keen to see on your own? -
@potemkin_ai dum question but : Did you try to reboot the server ?
-
@Gengar I even tried with various Ubuntu versions: 22.04 & 24.04
-
@potemkin_ai out of interest, which server provider is this with?
@jdaviescoates This is a pertinent question. I've bought VPSes over the years from different providers that were not ready to roll. The user had to install or activate networks, or the port, or something that I'd say was non-trivial. I'd say 20% of the time I come across this, including other small niggly things like no time server, wrong fs, dns resolvers, etc. At some point, if Cloudron ain't working in your server when it works on soooo many others fine, it's time to just cut your losses and change servers and service providers.
-
@potemkin_ai out of interest, which server provider is this with?
@jdaviescoates it is not cloud provider related.
To demonstrate that created an instance on Hetzner - installed unbound and nothing else - at all - and it doesn't work.
