(Grav GitSync) Automatic Commit from RealStickman

This commit is contained in:
RealStickman 2022-05-20 21:18:17 +02:00 committed by GitSync
parent 2b0ec13164
commit 4d76ac5472

View File

@ -0,0 +1,155 @@
---
title: PowerDNS
---
## Installation
For the autoriative server install this package
`# apt install pdns-server`
This is the PowerDNS resolver package
`# apt install pdns-recursor`
### Different Backends can be installed on Debian
Mysql Backend
`# apt install pdns-backend-mysql mariadb-server`
## Configuration Authoritative Server
Set the backend you chose in the `launch=` option of PowerDNS' configuration file.
The config can be found under `/etc/powerdns/pdns.conf`
For MySQL I chose `launch=gmysql`
> A [list of backends can be found here](https://doc.powerdns.com/authoritative/backends/index.html)
{.is-info}
Add the following parameters below `launch=gmysql`
```
gmysql-host=127.0.0.1
gmysql-socket=/run/mysqld/mysqld.sock
gmysql-user=(user)
gmysql-password=(password)
gmysql-dbname=pdns
# Add this for dnssec support
gmysql-dnssec=yes
```
Prepare database
`# mariadb -u root -p`
`CREATE DATABASE pdns;`
`GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '<password>';`
Import the schema utilised by PowerDNS. This can be done with the user you just created
`$ mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql`
`# systemctl restart pdns`
### Zones
Create Zone and add a name server
`# pdnsutil create-zone (domain) ns1.(domain)`
Add "A"-Record. **Mind the (.) after the domain**
"Name" is the hostname you wish to assign.
`# pdnsutil add-record (domain). (name) A (ip address)`
### Dynamic DNS
`# apt install bind9utils`
Generate key
`# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)`
Edit the configuration file and change `dnsupdate=no` to `dnsupdate=yes` and set `allow-dnsupdate-from=` to empty.
Allow updates from your DHCP server
`# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)`
If you set up a reverse-zone, also allow that
`# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)`
Import the key
`# pdnsutil import-tsig-key (keyname) hmac-md5 (key)`
Enable for domain
`# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)`
And for reverse-zone
`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)`
You also have to configure the DHCP server to provide updates, see [the DHCP article](https://wiki.realstickman.net/en/linux/services/dhcp-server)
#### Testing with nsupdate
`# nsupdate -k Kdhcpdupdate.+157+12673.key`
```
> server 127.0.0.1 5300
> zone testpdns
> update add test.testpdns 3600 A 192.168.7.10
> send
```
## Configuration Recursive Resolver
The config file can be found under `/etc/powerdns/recursor.conf`
In `/etc/powerdns/pdns.conf` set `local-address=127.0.0.1` and `local-port=5300` to allow the recursor to run on port 53
In `/etc/powerdns/recursor.conf` set `forward-zones=(domain)=127.0.0.1:5300` to forward queries for that domain to the authoritative DNS
Also set `local-address` and `allow-from`
To bind to all interfaces, use `local-address=::,0.0.0.0`
### Wipe Cache
`# rec_control wipe-cache $`
## DNSSEC
### Authoritative Server
> *TODO*
{.is-warning}
> https://doc.powerdns.com/authoritative/dnssec/index.html
{.is-info}
### Recursor Server
To fully enable DNSSEC, set `dnssec=process-no-validate` to `dnssec=validate`
To allow a domain without DNSSEC, modify `/etc/powerdns/recursor.lua`
Add `addNTA('(domain)')` to disable DNSSEC for the selected domain.
Show domains with disabled DNSSEC
`# rec_control get-ntas`
> [DNSSEC Testing](https://wiki.debian.org/DNSSEC#Test_DNSSEC)
{.is-info}
## WebGUI
### PowerDNS-Admin
`# mkdir /etc/pda-data`
`# chmod 777 -R /etc/pda-data`
```
# podman run -d \
--name powerdns-admin \
-e SECRET_KEY='q5dNwUVzbdn6gc7of6DvO0syIhTHVq1t' \
-v /etc/pda-data:/data \
--net=host \
docker://ngoduykhanh/powerdns-admin:latest
```
#### Enabling API
A few settings in `/etc/powerdns/pdns.conf` need to be changed.
```
api=yes
api-key=(random key)
webserver=yes
```
Following this, the API access can be configured in the webgui
![powerdns-admin-api-settings.png](/powerdns-admin-api-settings.png)
Now you should see all your configured Domains and be able to modify records
#### Systemd Service
`/etc/systemd/system/powerdns-admin.service`
```
[Unit]
Description=Powerdns Admin Podman container
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a powerdns-admin
ExecStop=/usr/bin/podman stop -t 10 powerdns-admin
[Install]
WantedBy=multi-user.target
```
`# systemctl daemon-reload`
`# systemctl enable --now powerdns-admin`