(Grav GitSync) Automatic Commit from RealStickman
This commit is contained in:
RealStickman
GitSync
parent
2b0ec13164
commit
4d76ac5472
155
pages/02.linux/14.powerdns/default.en.md
Normal file
155
pages/02.linux/14.powerdns/default.en.md
Normal file
@ -0,0 +1,155 @@
|
||||
---
|
||||
title: PowerDNS
|
||||
---
|
||||
|
||||
## Installation
|
||||
For the autoriative server install this package
|
||||
`# apt install pdns-server`
|
||||
This is the PowerDNS resolver package
|
||||
`# apt install pdns-recursor`
|
||||
|
||||
### Different Backends can be installed on Debian
|
||||
Mysql Backend
|
||||
`# apt install pdns-backend-mysql mariadb-server`
|
||||
|
||||
## Configuration Authoritative Server
|
||||
Set the backend you chose in the `launch=` option of PowerDNS' configuration file.
|
||||
The config can be found under `/etc/powerdns/pdns.conf`
|
||||
|
||||
For MySQL I chose `launch=gmysql`
|
||||
> A [list of backends can be found here](https://doc.powerdns.com/authoritative/backends/index.html)
|
||||
{.is-info}
|
||||
|
||||
Add the following parameters below `launch=gmysql`
|
||||
```
|
||||
gmysql-host=127.0.0.1
|
||||
gmysql-socket=/run/mysqld/mysqld.sock
|
||||
gmysql-user=(user)
|
||||
gmysql-password=(password)
|
||||
gmysql-dbname=pdns
|
||||
# Add this for dnssec support
|
||||
gmysql-dnssec=yes
|
||||
```
|
||||
|
||||
Prepare database
|
||||
`# mariadb -u root -p`
|
||||
|
||||
`CREATE DATABASE pdns;`
|
||||
|
||||
`GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '<password>';`
|
||||
|
||||
Import the schema utilised by PowerDNS. This can be done with the user you just created
|
||||
`$ mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql`
|
||||
|
||||
`# systemctl restart pdns`
|
||||
|
||||
### Zones
|
||||
Create Zone and add a name server
|
||||
`# pdnsutil create-zone (domain) ns1.(domain)`
|
||||
|
||||
Add "A"-Record. **Mind the (.) after the domain**
|
||||
"Name" is the hostname you wish to assign.
|
||||
`# pdnsutil add-record (domain). (name) A (ip address)`
|
||||
|
||||
### Dynamic DNS
|
||||
`# apt install bind9utils`
|
||||
|
||||
Generate key
|
||||
`# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)`
|
||||
|
||||
Edit the configuration file and change `dnsupdate=no` to `dnsupdate=yes` and set `allow-dnsupdate-from=` to empty.
|
||||
|
||||
Allow updates from your DHCP server
|
||||
`# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)`
|
||||
If you set up a reverse-zone, also allow that
|
||||
`# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)`
|
||||
|
||||
Import the key
|
||||
`# pdnsutil import-tsig-key (keyname) hmac-md5 (key)`
|
||||
Enable for domain
|
||||
`# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)`
|
||||
And for reverse-zone
|
||||
`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)`
|
||||
|
||||
You also have to configure the DHCP server to provide updates, see [the DHCP article](https://wiki.realstickman.net/en/linux/services/dhcp-server)
|
||||
|
||||
#### Testing with nsupdate
|
||||
`# nsupdate -k Kdhcpdupdate.+157+12673.key`
|
||||
```
|
||||
> server 127.0.0.1 5300
|
||||
> zone testpdns
|
||||
> update add test.testpdns 3600 A 192.168.7.10
|
||||
> send
|
||||
```
|
||||
|
||||
## Configuration Recursive Resolver
|
||||
The config file can be found under `/etc/powerdns/recursor.conf`
|
||||
In `/etc/powerdns/pdns.conf` set `local-address=127.0.0.1` and `local-port=5300` to allow the recursor to run on port 53
|
||||
In `/etc/powerdns/recursor.conf` set `forward-zones=(domain)=127.0.0.1:5300` to forward queries for that domain to the authoritative DNS
|
||||
Also set `local-address` and `allow-from`
|
||||
To bind to all interfaces, use `local-address=::,0.0.0.0`
|
||||
|
||||
### Wipe Cache
|
||||
`# rec_control wipe-cache $`
|
||||
|
||||
## DNSSEC
|
||||
### Authoritative Server
|
||||
> *TODO*
|
||||
{.is-warning}
|
||||
|
||||
> https://doc.powerdns.com/authoritative/dnssec/index.html
|
||||
{.is-info}
|
||||
|
||||
### Recursor Server
|
||||
To fully enable DNSSEC, set `dnssec=process-no-validate` to `dnssec=validate`
|
||||
|
||||
To allow a domain without DNSSEC, modify `/etc/powerdns/recursor.lua`
|
||||
Add `addNTA('(domain)')` to disable DNSSEC for the selected domain.
|
||||
|
||||
Show domains with disabled DNSSEC
|
||||
`# rec_control get-ntas`
|
||||
|
||||
> [DNSSEC Testing](https://wiki.debian.org/DNSSEC#Test_DNSSEC)
|
||||
{.is-info}
|
||||
|
||||
## WebGUI
|
||||
### PowerDNS-Admin
|
||||
`# mkdir /etc/pda-data`
|
||||
`# chmod 777 -R /etc/pda-data`
|
||||
```
|
||||
# podman run -d \
|
||||
--name powerdns-admin \
|
||||
-e SECRET_KEY='q5dNwUVzbdn6gc7of6DvO0syIhTHVq1t' \
|
||||
-v /etc/pda-data:/data \
|
||||
--net=host \
|
||||
docker://ngoduykhanh/powerdns-admin:latest
|
||||
```
|
||||
|
||||
#### Enabling API
|
||||
A few settings in `/etc/powerdns/pdns.conf` need to be changed.
|
||||
```
|
||||
api=yes
|
||||
api-key=(random key)
|
||||
webserver=yes
|
||||
```
|
||||
|
||||
Following this, the API access can be configured in the webgui
|
||||
|
||||
|
||||
Now you should see all your configured Domains and be able to modify records
|
||||
|
||||
#### Systemd Service
|
||||
`/etc/systemd/system/powerdns-admin.service`
|
||||
```
|
||||
[Unit]
|
||||
Description=Powerdns Admin Podman container
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStart=/usr/bin/podman start -a powerdns-admin
|
||||
ExecStop=/usr/bin/podman stop -t 10 powerdns-admin
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
`# systemctl daemon-reload`
|
||||
`# systemctl enable --now powerdns-admin`
|
||||
Loading…
Reference in New Issue
Block a user