Add Unbound as better DNSSEC enabled resolver

data/Dockerfiles/unbound/Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.6
+
+LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+
+RUN apk add --update --no-cache \
+	curl \
+	unbound \
+	bash \
+	openssl \
+	drill \
+	&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
+	&& chown root:unbound /etc/unbound \
+	&& chmod 775 /etc/unbound
+
+COPY unbound.conf /etc/unbound/unbound.conf
+
+EXPOSE 53/udp 53/tcp
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

data/Dockerfiles/unbound/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+unbound-control-setup
+echo "Receiving anchor key..."
+/usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key
+echo "Receiving root hints..."
+curl -#o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
+
+exec "$@"

data/Dockerfiles/unbound/unbound.conf

@@ -0,0 +1,28 @@
+server:
+	verbosity: 2
+	interface: 0.0.0.0
+	interface: ::0
+	logfile: /dev/stdout
+	do-ip4: yes
+	do-ip6: yes
+	do-udp: yes
+	do-tcp: yes
+	do-daemonize: no
+	access-control: 172.22.1.0/24 allow
+	access-control: fd4d:6169:6c63:6f77::/64 allow
+	directory: "/etc/unbound"
+	username: unbound
+	auto-trust-anchor-file: trusted-key.key
+	private-address: 10.0.0.0/8
+	private-address: 172.16.0.0/12
+	private-address: 192.168.0.0/16
+	private-address: 169.254.0.0/16
+	private-address: fd00::/8
+	private-address: fe80::/10
+	root-hints: "/etc/unbound/root.hints"
+remote-control:
+	control-enable: yes
+	server-key-file: /etc/unbound/unbound_server.key
+	server-cert-file: /etc/unbound/unbound_server.pem
+	control-key-file: /etc/unbound/unbound_control.key
+	control-cert-file: /etc/unbound/unbound_control.pem

docker-compose.yml

@@ -1,5 +1,24 @@
 version: '2.1'
 services:
+
+    unbound-mailcow:
+      image: mailcow/unbound
+      command: /usr/sbin/unbound
+      depends_on:
+        mysql-mailcow:
+          condition: service_healthy
+      healthcheck:
+        test: ["CMD", "drill", "A", "servercow.de", "@127.0.0.1"]
+        interval: 10s
+        timeout: 30s
+        retries: 5
+      restart: always
+      networks:
+        mailcow-network:
+          ipv4_address: 172.22.1.254
+          aliases:
+            - bind9
+
     mysql-mailcow:
       image: mariadb:10.1
       healthcheck:
@@ -16,6 +35,9 @@ services:
         - MYSQL_USER=${DBUSER}
         - MYSQL_PASSWORD=${DBPASS}
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -24,11 +46,13 @@ services:
     redis-mailcow:
       image: redis:alpine
       depends_on:
-        mysql-mailcow:
+        - unbound-mailcow
-          condition: service_healthy
       volumes:
         - redis-vol-1:/data/
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -38,6 +62,9 @@ services:
       image: mailcow/clamd
       build: ./data/Dockerfiles/clamav
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -52,8 +79,7 @@ services:
         /usr/bin/rspamd -f -u _rspamd -g _rspamd
         "
       depends_on:
-        nginx-mailcow:
+        - nginx-mailcow
-          condition: service_healthy
       volumes:
         - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:ro
         - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:ro
@@ -61,6 +87,9 @@ services:
         - dkim-vol-1:/data/dkim
         - rspamd-vol-1:/var/lib/rspamd
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       hostname: rspamd
       networks:
         mailcow-network:
@@ -84,6 +113,9 @@ services:
         - DBPASS=${DBPASS}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -93,8 +125,7 @@ services:
       image: mailcow/sogo
       build: ./data/Dockerfiles/sogo
       depends_on:
-        mysql-mailcow:
+        - unbound-mailcow
-          condition: service_healthy
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -103,6 +134,9 @@ services:
       volumes:
         - ./data/conf/sogo/:/etc/sogo/
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.252
@@ -113,8 +147,7 @@ services:
       image: mailcow/dovecot
       build: ./data/Dockerfiles/dovecot
       depends_on:
-        mysql-mailcow:
+        - unbound-mailcow
-          condition: service_healthy
       volumes:
         - ./data/conf/dovecot:/usr/local/etc/dovecot
         - ./data/assets/ssl:/etc/ssl/mail/:ro
@@ -132,6 +165,9 @@ services:
         - "${POPS_PORT:-995}:995"
         - "${SIEVE_PORT:-4190}:4190"
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       hostname: ${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
@@ -142,8 +178,7 @@ services:
       image: mailcow/postfix
       build: ./data/Dockerfiles/postfix
       depends_on:
-        mysql-mailcow:
+        - unbound-mailcow
-          condition: service_healthy
       volumes:
         - ./data/conf/postfix:/opt/postfix/conf
         - ./data/assets/ssl:/etc/ssl/mail/:ro
@@ -158,6 +193,9 @@ services:
         - "${SMTPS_PORT:-465}:465"
         - "${SUBMISSION_PORT:-587}:587"
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       hostname: ${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
@@ -167,9 +205,11 @@ services:
     memcached-mailcow:
       image: memcached:alpine
       depends_on:
-        mysql-mailcow:
+        - unbound-mailcow
-          condition: service_healthy
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -202,6 +242,9 @@ services:
         - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
         - "${HTTP_BIND:-127.0.0.1}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.251
@@ -213,6 +256,9 @@ services:
         - nginx-mailcow
       image: mailcow/acme
       build: ./data/Dockerfiles/acme
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       # All domains to be included in the certificate
       environment:
         - CONTAINERS_RESTART=mailcowdockerized_postfix-mailcow_1 mailcowdockerized_dovecot-mailcow_1 mailcowdockerized_nginx-mailcow_1
@@ -239,6 +285,9 @@ services:
         - sogo-mailcow
         - php-fpm-mailcow
       restart: always
+      dns:
+        - 172.22.1.254
+      dns_search: mailcow-network
       privileged: true
       network_mode: "host"
       volumes: