Refactor: Change unbound port to 53 and update healthcheck

cursoragent · jeboehm · cursoragent · commit f936822c5213 · 2025-09-30T14:54:29.000Z
Co-authored-by: j.boehm &lt;j.boehm@ressourcenkonflikt.de&gt;
diff --git a/deploy/kustomize/unbound/network-policy.yaml b/deploy/kustomize/unbound/network-policy.yaml
@@ -20,6 +20,6 @@ spec:
         - podSelector: {}
       ports:
         - protocol: UDP
-          port: 5353 # DNS
+          port: 53 # DNS
         - protocol: TCP
-          port: 5353 # DNS TCP
+          port: 53 # DNS TCP
diff --git a/docs/UPGRADE.md b/docs/UPGRADE.md
@@ -21,12 +21,6 @@ The Helm chart has been deprecated and archived.
 - **Mail Submission**: Mail submission is now only possible on port 587.
 
 ### MDA (Mail Delivery Agent)
-- **Unbound port change and capability requirement (breaking)**: Unbound now listens on port `53` (UDP/TCP) instead of `5353`.
-  - Compose: the `unbound` service now requires `cap_add: [NET_BIND_SERVICE]` to bind <1024 as non-root.
-  - Kubernetes: the `unbound` deployment exposes containerPorts `53/TCP` and `53/UDP` and adds the `NET_BIND_SERVICE` capability.
-  - Rspamd and internal components should use `unbound:53`. Any hardcoded `:5353` must be updated.
-  - If you previously customized Postfix to use `127.0.0.1:5353`, remove that customization. Postfix and other services should resolve via standard port 53.
-
 - **Base Image**: Changed to `dovecot/dovecot`. This image is no longer based on Alpine Linux.
 - **TLS Certificate Paths**: Updated to `/etc/dovecot/tls/tls.crt` and `/etc/dovecot/tls/tls.key`. A Diffie-Hellman file is no longer required.
 - **Mail Storage**: Now mounted to `/srv/vmail` instead of `/var/vmail`.
@@ -41,3 +35,11 @@ The Helm chart has been deprecated and archived.
 
 - **Full Text Search**: Enabled by default. All `FTS_` environment variables have been removed.
 - **Protocol Support**: POP3 and IMAP are always enabled. The `POP3_ENABLED` and `IMAP_ENABLED` environment variables have been removed.
+
+## v6.0 to v6.1
+
+- **Unbound port change and capability requirement (breaking)**: Unbound now listens on port `53` (UDP/TCP) instead of `5353`.
+  - Compose: the `unbound` service now requires `cap_add: [NET_BIND_SERVICE]` to bind <1024 as non-root.
+  - Kubernetes: the `unbound` deployment exposes containerPorts `53/TCP` and `53/UDP` and adds the `NET_BIND_SERVICE` capability.
+  - Rspamd and internal components should use `unbound:53`. Any hardcoded `:5353` must be updated.
+  - If you previously customized Postfix to use `127.0.0.1:5353`, remove that customization. Postfix and other services should resolve via standard port 53.
diff --git a/target/unbound/Dockerfile b/target/unbound/Dockerfile
@@ -10,4 +10,4 @@ COPY --chown=unbound:unbound rootfs/ /
 USER unbound
 
 EXPOSE 53/TCP 53/UDP
-HEALTHCHECK CMD dig @127.0.0.1 -p 53 github.com || exit 1
+HEALTHCHECK CMD /usr/local/bin/healthcheck.sh
diff --git a/target/unbound/rootfs/usr/local/bin/healthcheck.sh b/target/unbound/rootfs/usr/local/bin/healthcheck.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+# 1. test connection to 0.0.0.0:53 (UDP via dig) and TCP via nc
+if ! dig @127.0.0.1 -p 53 github.com +time=2 +tries=1 +short >/dev/null 2>&1; then
+    echo "Healthcheck failed: dig to 127.0.0.1:53"
+    exit 1
+fi
+
+if ! nc -z 0.0.0.0 53; then
+    echo "Healthcheck failed: cannot connect to 0.0.0.0:53 (TCP)"
+    exit 1
+fi
+
+echo "Healthcheck passed"
+exit 0
+
