Cloudron behind CGNAT/Cloudflare Tunnel: queryNs ETIMEOUT
-
Hello all,
I am currently running a Cloudron setup in a CGNAT environment where I don't have a public IPv4 address. To make the dashboard and apps accessible, I am successfully using a Cloudflare Tunnel (cloudflared).
While the tunnel itself is working for traffic ingress, I am hitting a major roadblock when trying to change my domain configuration from Manual (NO_OP) to the Cloudflare DNS provider.
The Problem:
Whenever I attempt to switch the DNS provider to 'Cloudflare' in the Cloudron Dashboard, the process fails with the following error: queryNs ETIMEOUT <domain.com>Technical Context & Observations:
Unbound Logs: Checking journalctl -u unbound reveals multiple communication errors:communications error to 127.0.0.150#53: timed out
no servers could be reached
Networking: My Unbound instance is currently listening on 127.0.0.150:53 (confirmed via ss -tulpn).
Firewall: I am using the standard cloudron-firewall, which I know manages iptables rules automatically. I have avoided making manual changes to iptables or ufw to prevent conflicts with Cloudron's internal routing.
Outbound Traffic: General outbound requests from the server seem to work, but the internal DNS lookup for Nameservers (queryNs) specifically times out.
My Questions:
Internal Routing: Has anyone successfully navigated the queryNs ETIMEOUT specifically in a Tunnel/CGNAT setup? It seems Cloudron's internal check is failing to reach the external DNS to verify the records before switching.Update:
Solved by using command: sudo cloudron-support --unbound-forward-dns 1.1.1.1Best regards,
Chris -
Create Certificate for this setup is still open.Force a Cloudron SSL breakthrough by deleting the stuck automatic ACME record and adding it manually to Cloudflare. Just five minutes later, propagation finishes the job, bringing your secure tunnel online without the wait.
Can be solved
-
J james has marked this topic as solved