1. Home
  2. Notes
  3. Building a PowerDNS server

Building a PowerDNS server

  • Jan. 21, 2022
  • Category: Linux
  • Tags: DNS

Using

  • Debian 11
  • PowerDNS 4.6

Will use postgres to store the records.

Installing postgres 

apt install postgresql postgresql-client postgresql-contrib

Changing the password for the postgres database user:

su - postgres
psql -d template1 -c "ALTER USER postgres WITH PASSWORD 'PostgresPassword';"

Adjusting /etc/postgresql/13/main/pg_hba.conf:

# To allow remote connection
host    all         all         192.168.122.0/24    trust
host    all         all         192.168.123.0/24    trust

Adjusting /etc/postgresql/13/main/postgresql.conf:

listen_addresses = '*'

Then starting the service, and enabling it for startup

systemctl enable postgresql
systemctl start postgresql && systemctl status postgresql

Checking

pg_isready

Installing PowerDNS

Disable systemd-resolved

systemctl disable --now systemd-resolved

Adding the source for PowerDNS 4.6 to apt

echo "deb [arch=amd64] http://repo.powerdns.com/debian $(lsb_release -sc)-auth-46 main" > /etc/apt/sources.list.d/pdns.list

cat > /etc/apt/preferences.d/pdns << EOL
Package: pdns-*
Pin: origin repo.powerdns.com
Pin-Priority: 600
EOL

apt install gpg
wget -qO- https://repo.powerdns.com/FD380FBB-pub.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/pdns.gpg

Installing the authoritative server

apt update
apt install pdns-server

pdns.service is already enabled from install.

The install process also installs pdns-backend-bind.

Installing postgresql backend

apt install pdns-backend-pgsql

Creating the database

su - postgres
psql

CREATE DATABASE powerdns;
CREATE USER powerdns WITH PASSWORD 'pdnsPass';
GRANT ALL PRIVILEGES ON DATABASE powerdns TO powerdns;

\q

Importing db schema

psql -U powerdns -h 127.0.0.1 -d powerdns -a -f /usr/share/doc/pdns-backend-pgsql/schema.pgsql.sql

Uninstalling bind backend

apt-get remove pdns-backend-bind
apt-get purge pdns-backend-bind

Configuring PowerDNS Authoritative server

Config file - /etc/powerdns/pdns.conf

setgid=pdns
setuid=pdns

launch=gpgsql
gpgsql-host=127.0.0.1
gpgsql-port=5432
gpgsql-dbname=powerdns
gpgsql-user=powerdns
gpgsql-password=pdnsPass
gpgsql-dnssec=yes

local-address=127.0.0.1
local-port=54

The authoritative server listens on port 54 on 127.0.0.1 and the recursor will listen on port 53 with local-address=0.0.0.0.

loglevel=4
master=yes
slave=no

webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=127.0.0.1,::1,192.168.0.0/16
webserver-port=8081

api=yes
api-key=aF3kD4eJ0hB1uI1jV8vR2yC0eK8lP9mO

daemon=no
guardian=no
default-publish-cdnskey=1
default-publish-cds=2,4

default-soa-edit=INCEPTION-INCREMENT

Then

systemctl restart pdns

Adding records

Create a forward zone

pdnsutil create-zone adomain.dom
pdnsutil set-kind adomain.dom primary

The default mode is native (DNS Modes of Operation).

Changing the SOA (which is automatically created when creating the zone).

pdnsutil edit-zone adomain.dom

Changing this:

; Warning - every name in this file is ABSOLUTE!
$ORIGIN .
adomain.dom   3600    IN      SOA     a.misconfigured.dns.server.invalid hostmaster.adomain.dom 0 10800 3600 604800 3600

To this

; Warning - every name in this file is ABSOLUTE!
$ORIGIN .
adomain.dom   3600    IN      SOA     ns1.adomain.dom hostmaster.adomain.dom 0 10800 3600 604800 3600

Where:

  • primary: default-soa-name configuration option
  • hostmaster: hostmaster@domain-name
  • serial: 0
  • refresh: 10800 (3 hours)
  • retry: 3600 (1 hour)
  • expire: 604800 (1 week)
  • default_ttl: 3600 (1 hour)

Create nameserver NS record

pdnsutil add-record adomain.dom @ NS 86400 ns1.adomain.dom

Insert A record for the nameserver

pdnsutil add-record adomain.dom ns1 A 120 192.168.122.17

Add MX Record

pdnsutil add-record adomain.dom @ MX 120 "10 mail.adomain.dom"

Insert A record for the nameserver

pdnsutil add-record adomain.dom mail A 120 192.168.122.18

Creating Reverse Zone

pdnsutil create-zone 122.168.192.in-addr.arpa

Update reverse zone SOA;

pdnsutil list-zone 122.168.192.in-addr.arpa
pdnsutil edit-zone 122.168.192.in-addr.arpa

Insert NS Reverse Zone Record

pdnsutil add-record 122.168.192.in-addr.arpa @ NS 86400 ns1.adomain.dom

Insert PTR Records

pdnsutil add-record 122.168.192.in-addr.arpa 17 PTR 120 ns1.adomain.dom
pdnsutil add-record 122.168.192.in-addr.arpa 18 PTR 120 mail.adomain.dom

Installing the recursor server

apt install pdns-recursor

Configuring PowerDNS recursor

Adjusting `/etc/powerdns/recursor.conf

forward-zones=adomain.dom=127.0.0.1:54, 122.168.192.in-addr.arpa=127.0.0.1:54
local-address=0.0.0.0
local-port=53

api-key=aF3kD4eJ0hB1uI1jV8vR2yC0eK8lP9mO
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=127.0.0.1,::1,192.168.0.0/16
webserver-port=8082

systemctl restart pdns-recursor.service
systemctl status pdns-recursor.service

So, with this setup, the pdns authoritative server listens on port 54 and pdns recursor listens on port 53.