can't install cloudron due to unbound issues
-
The following config file works on a fresh installed Ubuntu, but not on Cloudron:
server: # can be uncommented if you do not need user privilege protection # username: "" # can be uncommented if you do not need file access protection # chroot: "" # location of the trust anchor file that enables DNSSEC. note that # the location of this file can be elsewhere # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" # auto-trust-anchor-file: "/var/lib/unbound/root.key" # send minimal amount of information to upstream servers to enhance privacy qname-minimisation: yes # specify the interface to answer queries from by ip-address. interface: 127.0.0.150 # interface: ::0 # addresses from the IP range that are allowed to connect to the resolver access-control: 0.0.0.0/0 allow # access-control: 2001:DB8/64 allow -
btw, I wonder why didn't you add
qname-minimisation? -
btw #2: here is the command to quickly verify unbound configuration
unbound -d -vvvvv -c my.conf- as per unbound docs. -
ah very nice. so @potemkin_ai , the completel unbound config cloudron uses is:
server: port: 53 interface: 127.0.0.150 ip-freebind: yes do-ip6: yes access-control: 127.0.0.1 allow cache-max-negative-ttl: 30 cache-max-ttl: 300 prefer-ip4: yes # enable below for logging to journalctl -u unbound # verbosity: 5 # log-queries: yes # https://github.com/NLnetLabs/unbound/issues/806 remote-control: control-enable: noI removed some lines (because it requires docker) but does it work with the above config?
-
@joseph , nop - it doesn't... that's what I keep saying for a few hours now - vanilla cloudron & vanilla ubuntu - I didn't touch a thing - and yeah, that's a config I've seen, with the only exception that prefer-ip4 option is in separate file (for the reasons I didn't find a confirmation for).
I've tried to migrated working config from ubuntu machine without cloudron to the machine with cloudron and it fails
-
If you can narrow down which config option breaks it in your environment, we can investigate further, but since we have no setup where it fails there is not very much for us to look into besides guessing.
Maybe something about the
access-control? -
@nebulon, the things is that it's your config... Like you've seen - I've made unbound working on vanilla Ubuntu. But the very same config fails on Ubuntu with Cloudron setup on it...
I can setup a dedicated server so that you can check it on your own - with or without just
cloudron-setup, injecting your support ssh keys, if you keen to see on your own? -
@potemkin_ai dum question but : Did you try to reboot the server ?
-
@Gengar I even tried with various Ubuntu versions: 22.04 & 24.04
-
@potemkin_ai out of interest, which server provider is this with?
@jdaviescoates This is a pertinent question. I've bought VPSes over the years from different providers that were not ready to roll. The user had to install or activate networks, or the port, or something that I'd say was non-trivial. I'd say 20% of the time I come across this, including other small niggly things like no time server, wrong fs, dns resolvers, etc. At some point, if Cloudron ain't working in your server when it works on soooo many others fine, it's time to just cut your losses and change servers and service providers.
-
@potemkin_ai out of interest, which server provider is this with?
@jdaviescoates it is not cloud provider related.
To demonstrate that created an instance on Hetzner - installed unbound and nothing else - at all - and it doesn't work.
-
as @nebulon said please test
host -t NS apple.com 127.0.0.1on a fresh ubuntu + unbound. If this works, this is already a start . Next step is to use the unbound config at https://forum.cloudron.io/post/104349 . With that config in place, you have to test withhost -t NS apple.com 127.0.0.150. Here's a demo recording if it helps - https://asciinema.org/a/9mMqdLmgJ2X7vWgBUkQVAgB5i -
@nebulon , I'm quite confused as well - I realize it's a basic thing that, would it be broken, would affect everyone at all.
Default unbound works on 127.0.0.1 indeed and so far I ended up with point-finger with firewall - it seems UDP requires 53 port to be open on the inbound firewall rules to be working - something you have on your iptables rules as well.
For your reference - it's much easier to troubleshoot unbound with
systemctl stop unbound && unbound -dd -vvvvas it start writing everything on the console, so we stop the guess work.
Other common troubleshooting steps aress -tulnp | grep 53to see if there is anyone listening.@girish , thank you - for the time being I ended up disabling firewall completely to process with installation process.
I believe I unexpectedly advanced with unbound server for the last 24 hours and will be looking to reconfigure it once the setup is done.It seems like unbound is only used for SpamHause and during setup. If the setup issue will resorted, only SpamHause issue will remain.
-
@nebulon , I'm quite confused as well - I realize it's a basic thing that, would it be broken, would affect everyone at all.
Default unbound works on 127.0.0.1 indeed and so far I ended up with point-finger with firewall - it seems UDP requires 53 port to be open on the inbound firewall rules to be working - something you have on your iptables rules as well.
For your reference - it's much easier to troubleshoot unbound with
systemctl stop unbound && unbound -dd -vvvvas it start writing everything on the console, so we stop the guess work.
Other common troubleshooting steps aress -tulnp | grep 53to see if there is anyone listening.@girish , thank you - for the time being I ended up disabling firewall completely to process with installation process.
I believe I unexpectedly advanced with unbound server for the last 24 hours and will be looking to reconfigure it once the setup is done.It seems like unbound is only used for SpamHause and during setup. If the setup issue will resorted, only SpamHause issue will remain.
@potemkin_ai said in can't install cloudron due to unbound issues:
It seems like unbound is only used for SpamHause and during setup. If the setup issue will resorted, only SpamHause issue will remain.
It's also used for DNS propagation checks (during app install, change location etc) and also verify validity of DNS records for Let's Encrypt. We cannot rely on caching resolvers because they would cache not found (NXDOMAIN) entries for very long periods of time.
The recommendation is to keep all the outbound ports open - https://docs.cloudron.io/security/#outbound-ports .
-
G girish has marked this topic as solved on
