wiki-grav/pages/02.linux/powerdns/default.en.md

---
title: PowerDNS
visible: true
media_order: powerdns-admin-api-settings.png
---

[toc]

## Installation

### Debian

For the autoriative server install this package  
`# apt install pdns-server`  
This is the PowerDNS resolver package  
`# apt install pdns-recursor`

PowerDNS offers different backends, which are packaged separately on Debian.

**Mysql Backend**

```sh
sudo apt install pdns-backend-mysql mariadb-server
```

**PostgreSQL Backend**

```sh
sudo apt install pdns-backend-pgsql postgresql
```

## Authoritative Server

> [List of all available backends](https://doc.powerdns.com/authoritative/backends/index.html)

### PostgreSQL Backend

Edit the configuration file in `/etc/powerdns/pdns.conf`

```
...
launch=gpgsql
...
gpgsql-host=127.0.0.1
gpgsql-port=5432
gpgsql-dbname=pdns
gpgsql-user=<user>
gpgsql-password=<password>
gpgsql-dnssec=yes
```

Prepare database

```sh
sudo -u postgres psql
```

```sql
CREATE DATABASE pdns;
CREATE USER <user> WITH ENCRYPTED PASSWORD '<password>';
GRANT ALL PRIVILEGES ON DATABASE pdns TO powerdns;
```

Import the schema utilised by PowerDNS. This can be done with the user you just created  
Do note the `-h` parameter is required unless `pg_hba.conf` has been modified to password based authentication locally as well.

```sh
psql -U <user> -d <database> -h 127.0.0.1 -f /usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql
```

```sh
systemctl restart pdns
```

### MySQL Backend

Set the backend you chose in the `launch=` option of PowerDNS' configuration file.  
The config can be found under `/etc/powerdns/pdns.conf`

For MySQL I chose `launch=gmysql`

> A [list of backends can be found here](https://doc.powerdns.com/authoritative/backends/index.html)

Add the following parameters below `launch=gmysql`

```
gmysql-host=127.0.0.1
gmysql-socket=/run/mysqld/mysqld.sock
gmysql-user=(user)
gmysql-password=(password)
gmysql-dbname=pdns
# Add this for dnssec support
gmysql-dnssec=yes
```

Prepare database

```sh
mariadb -u root -p
```

```sql
CREATE DATABASE pdns;
GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '<password>';
```

Import the schema utilised by PowerDNS. This can be done with the user you just created

```sh
mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql
```

```sh
systemctl restart pdns
```

## PowerDNS CLI

Create Zone and add a name server  
`# pdnsutil create-zone (domain) ns1.(domain)`

Add "A"-Record. **Mind the (.) after the domain**  
"Name" is the hostname you wish to assign.  
`# pdnsutil add-record (domain). (name) A (ip address)`

## Dynamic DNS

`# apt install bind9utils`

Generate key  
`# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)`

Edit the configuration file and change `dnsupdate=no` to `dnsupdate=yes` and set `allow-dnsupdate-from=` to empty.

Allow updates from your DHCP server  
`# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)`  
If you set up a reverse-zone, also allow that  
`# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)`

Import the key  
`# pdnsutil import-tsig-key (keyname) hmac-md5 (key)`  
Enable for domain  
`# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)`  
And for reverse-zone  
`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)`

You also have to configure the DHCP server to provide updates, see [the DHCP article](/linux/services/dhcp-server)

### Testing with nsupdate

`# nsupdate -k Kdhcpdupdate.+157+12673.key`

```
> server 127.0.0.1 5300
> zone testpdns
> update add test.testpdns 3600 A 192.168.7.10
> send
```

## Configuration Recursive Resolver

The config file can be found under `/etc/powerdns/recursor.conf`  
In `/etc/powerdns/pdns.conf` set `local-address=127.0.0.1` and `local-port=5300` to allow the recursor to run on port 53  
In `/etc/powerdns/recursor.conf` set `forward-zones=(domain)=127.0.0.1:5300` to forward queries for that domain to the authoritative DNS  
Also set `local-address` and `allow-from`  
To bind to all interfaces, use `local-address=::,0.0.0.0`

### Wipe Cache

`# rec_control wipe-cache $`

## DNSSEC

### Authoritative Server

> https://doc.powerdns.com/authoritative/dnssec/index.html

### Recursor Server

To fully enable DNSSEC, set `dnssec=process-no-validate` to `dnssec=validate`

To allow a domain without DNSSEC, modify `/etc/powerdns/recursor.lua`  
Add `addNTA('(domain)')` to disable DNSSEC for the selected domain.

Show domains with disabled DNSSEC  
`# rec_control get-ntas`

> [DNSSEC Testing](https://wiki.debian.org/DNSSEC#Test_DNSSEC)

## WebGUI

### PowerDNS-Admin

```sh
sudo mkdir /etc/powerdns-admin
```

```sh
sudo podman run -d \
    --name powerdns-admin \
    -e SECRET_KEY='<key>' \
    -v /etc/powerdns-admin:/data \
    -p 9191:80 \
    docker.io/powerdnsadmin/pda-legacy:latest
```

#### Enabling API

A few settings in `/etc/powerdns/pdns.conf` need to be changed.

```
api=yes
api-key=<key>
webserver=yes
```

Following this, the API access can be configured in the webgui  
![Configuration options in PowerDNS Admin](powerdns-admin-api-settings.png)

Now you should see all your configured Domains and be able to modify records
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`---`
			`title: PowerDNS`
Make all pages visible. Use alphabetic sorting 2022-11-19 15:25:20 +01:00			`visible: true`
(Grav GitSync) Automatic Commit from RealStickman 2022-06-28 14:33:35 +02:00			`media_order: powerdns-admin-api-settings.png`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`---`

(Grav GitSync) Automatic Commit from RealStickman 2022-06-06 18:36:33 +02:00			`[toc]`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`## Installation`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`### Debian`

(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`For the autoriative server install this package`
			`# apt install pdns-server`
			`This is the PowerDNS resolver package`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# apt install pdns-recursor`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`PowerDNS offers different backends, which are packaged separately on Debian.`

			`Mysql Backend`

			```sh
Add sudo for root command 2023-05-26 18:22:29 +02:00			`sudo apt install pdns-backend-mysql mariadb-server`
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			```

			`PostgreSQL Backend`

			```sh
			`sudo apt install pdns-backend-pgsql postgresql`
			```

			`## Authoritative Server`

			`> [List of all available backends](https://doc.powerdns.com/authoritative/backends/index.html)`

			`### PostgreSQL Backend`

			Edit the configuration file in `/etc/powerdns/pdns.conf`

			```
			`...`
			`launch=gpgsql`
			`...`
			`gpgsql-host=127.0.0.1`
			`gpgsql-port=5432`
			`gpgsql-dbname=pdns`
			`gpgsql-user=<user>`
			`gpgsql-password=<password>`
			`gpgsql-dnssec=yes`
			```

			`Prepare database`

			```sh
			`sudo -u postgres psql`
			```

			```sql
			`CREATE DATABASE pdns;`
			`CREATE USER <user> WITH ENCRYPTED PASSWORD '<password>';`
			`GRANT ALL PRIVILEGES ON DATABASE pdns TO powerdns;`
			```

			`Import the schema utilised by PowerDNS. This can be done with the user you just created`
			Do note the `-h` parameter is required unless `pg_hba.conf` has been modified to password based authentication locally as well.
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			```sh
			`psql -U <user> -d <database> -h 127.0.0.1 -f /usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql`
			```

			```sh
			`systemctl restart pdns`
			```
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`### MySQL Backend`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			Set the backend you chose in the `launch=` option of PowerDNS' configuration file.
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			The config can be found under `/etc/powerdns/pdns.conf`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			For MySQL I chose `launch=gmysql`

			`> A [list of backends can be found here](https://doc.powerdns.com/authoritative/backends/index.html)`

			Add the following parameters below `launch=gmysql`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			```
			`gmysql-host=127.0.0.1`
			`gmysql-socket=/run/mysqld/mysqld.sock`
			`gmysql-user=(user)`
			`gmysql-password=(password)`
			`gmysql-dbname=pdns`
			`# Add this for dnssec support`
			`gmysql-dnssec=yes`
			```

Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`Prepare database`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			```sh
			`mariadb -u root -p`
			```
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			```sql
			`CREATE DATABASE pdns;`
			`GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '<password>';`
			```
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`Import the schema utilised by PowerDNS. This can be done with the user you just created`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			```sh
			`mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql`
			```

			```sh
			`systemctl restart pdns`
			```
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`## PowerDNS CLI`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`Create Zone and add a name server`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# pdnsutil create-zone (domain) ns1.(domain)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`Add "A"-Record. Mind the (.) after the domain`
			`"Name" is the hostname you wish to assign.`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# pdnsutil add-record (domain). (name) A (ip address)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`## Dynamic DNS`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			`# apt install bind9utils`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`Generate key`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			Edit the configuration file and change `dnsupdate=no` to `dnsupdate=yes` and set `allow-dnsupdate-from=` to empty.
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`Allow updates from your DHCP server`
			`# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)`
			`If you set up a reverse-zone, also allow that`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`Import the key`
			`# pdnsutil import-tsig-key (keyname) hmac-md5 (key)`
			`Enable for domain`
			`# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)`
			`And for reverse-zone`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Use relative links 2023-09-27 18:35:51 +02:00			`You also have to configure the DHCP server to provide updates, see [the DHCP article](/linux/services/dhcp-server)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`### Testing with nsupdate`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			`# nsupdate -k Kdhcpdupdate.+157+12673.key`

(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			```
			`> server 127.0.0.1 5300`
			`> zone testpdns`
			`> update add test.testpdns 3600 A 192.168.7.10`
			`> send`
			```

			`## Configuration Recursive Resolver`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			The config file can be found under `/etc/powerdns/recursor.conf`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			In `/etc/powerdns/pdns.conf` set `local-address=127.0.0.1` and `local-port=5300` to allow the recursor to run on port 53
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			In `/etc/powerdns/recursor.conf` set `forward-zones=(domain)=127.0.0.1:5300` to forward queries for that domain to the authoritative DNS
			Also set `local-address` and `allow-from`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			To bind to all interfaces, use `local-address=::,0.0.0.0`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`### Wipe Cache`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			`# rec_control wipe-cache $`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`## DNSSEC`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`### Authoritative Server`

Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`> https://doc.powerdns.com/authoritative/dnssec/index.html`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`### Recursor Server`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			To fully enable DNSSEC, set `dnssec=process-no-validate` to `dnssec=validate`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			To allow a domain without DNSSEC, modify `/etc/powerdns/recursor.lua`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			Add `addNTA('(domain)')` to disable DNSSEC for the selected domain.
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`Show domains with disabled DNSSEC`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`# rec_control get-ntas`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
			`> [DNSSEC Testing](https://wiki.debian.org/DNSSEC#Test_DNSSEC)`

			`## WebGUI`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`### PowerDNS-Admin`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			```sh
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`sudo mkdir /etc/powerdns-admin`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			```
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			```sh
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`sudo podman run -d \`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`--name powerdns-admin \`
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`-e SECRET_KEY='<key>' \`
			`-v /etc/powerdns-admin:/data \`
			`-p 9191:80 \`
			`docker.io/powerdnsadmin/pda-legacy:latest`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			```

			`#### Enabling API`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00
			A few settings in `/etc/powerdns/pdns.conf` need to be changed.

			```
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`api=yes`
Add postgresql backend to powerdns 2023-05-26 16:07:27 +02:00			`api-key=<key>`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00			`webserver=yes`
			```

			`Following this, the API access can be configured in the webgui`
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`![Configuration options in PowerDNS Admin](powerdns-admin-api-settings.png)`
(Grav GitSync) Automatic Commit from RealStickman 2022-05-20 21:18:17 +02:00
Update formats and languages for prismjs 2023-02-23 14:48:51 +01:00			`Now you should see all your configured Domains and be able to modify records`