From 4d76ac5472745d136ff7b4092cb8cceb049c78e9 Mon Sep 17 00:00:00 2001 From: RealStickman Date: Fri, 20 May 2022 21:18:17 +0200 Subject: [PATCH] (Grav GitSync) Automatic Commit from RealStickman --- pages/02.linux/14.powerdns/default.en.md | 155 +++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 pages/02.linux/14.powerdns/default.en.md diff --git a/pages/02.linux/14.powerdns/default.en.md b/pages/02.linux/14.powerdns/default.en.md new file mode 100644 index 0000000..2200a17 --- /dev/null +++ b/pages/02.linux/14.powerdns/default.en.md @@ -0,0 +1,155 @@ +--- +title: PowerDNS +--- + +## Installation +For the autoriative server install this package +`# apt install pdns-server` +This is the PowerDNS resolver package +`# apt install pdns-recursor` + +### Different Backends can be installed on Debian +Mysql Backend +`# apt install pdns-backend-mysql mariadb-server` + +## Configuration Authoritative Server +Set the backend you chose in the `launch=` option of PowerDNS' configuration file. +The config can be found under `/etc/powerdns/pdns.conf` + +For MySQL I chose `launch=gmysql` +> A [list of backends can be found here](https://doc.powerdns.com/authoritative/backends/index.html) +{.is-info} + +Add the following parameters below `launch=gmysql` +``` +gmysql-host=127.0.0.1 +gmysql-socket=/run/mysqld/mysqld.sock +gmysql-user=(user) +gmysql-password=(password) +gmysql-dbname=pdns +# Add this for dnssec support +gmysql-dnssec=yes +``` + +Prepare database +`# mariadb -u root -p` + +`CREATE DATABASE pdns;` + +`GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '';` + +Import the schema utilised by PowerDNS. This can be done with the user you just created +`$ mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql` + +`# systemctl restart pdns` + +### Zones +Create Zone and add a name server +`# pdnsutil create-zone (domain) ns1.(domain)` + +Add "A"-Record. **Mind the (.) after the domain** +"Name" is the hostname you wish to assign. +`# pdnsutil add-record (domain). (name) A (ip address)` + +### Dynamic DNS +`# apt install bind9utils` + +Generate key +`# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)` + +Edit the configuration file and change `dnsupdate=no` to `dnsupdate=yes` and set `allow-dnsupdate-from=` to empty. + +Allow updates from your DHCP server +`# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)` +If you set up a reverse-zone, also allow that +`# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)` + +Import the key +`# pdnsutil import-tsig-key (keyname) hmac-md5 (key)` +Enable for domain +`# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)` +And for reverse-zone +`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)` + +You also have to configure the DHCP server to provide updates, see [the DHCP article](https://wiki.realstickman.net/en/linux/services/dhcp-server) + +#### Testing with nsupdate +`# nsupdate -k Kdhcpdupdate.+157+12673.key` +``` +> server 127.0.0.1 5300 +> zone testpdns +> update add test.testpdns 3600 A 192.168.7.10 +> send +``` + +## Configuration Recursive Resolver +The config file can be found under `/etc/powerdns/recursor.conf` +In `/etc/powerdns/pdns.conf` set `local-address=127.0.0.1` and `local-port=5300` to allow the recursor to run on port 53 +In `/etc/powerdns/recursor.conf` set `forward-zones=(domain)=127.0.0.1:5300` to forward queries for that domain to the authoritative DNS +Also set `local-address` and `allow-from` +To bind to all interfaces, use `local-address=::,0.0.0.0` + +### Wipe Cache +`# rec_control wipe-cache $` + +## DNSSEC +### Authoritative Server +> *TODO* +{.is-warning} + +> https://doc.powerdns.com/authoritative/dnssec/index.html +{.is-info} + +### Recursor Server +To fully enable DNSSEC, set `dnssec=process-no-validate` to `dnssec=validate` + +To allow a domain without DNSSEC, modify `/etc/powerdns/recursor.lua` +Add `addNTA('(domain)')` to disable DNSSEC for the selected domain. + +Show domains with disabled DNSSEC +`# rec_control get-ntas` + +> [DNSSEC Testing](https://wiki.debian.org/DNSSEC#Test_DNSSEC) +{.is-info} + +## WebGUI +### PowerDNS-Admin +`# mkdir /etc/pda-data` +`# chmod 777 -R /etc/pda-data` +``` +# podman run -d \ + --name powerdns-admin \ + -e SECRET_KEY='q5dNwUVzbdn6gc7of6DvO0syIhTHVq1t' \ + -v /etc/pda-data:/data \ + --net=host \ + docker://ngoduykhanh/powerdns-admin:latest +``` + +#### Enabling API +A few settings in `/etc/powerdns/pdns.conf` need to be changed. +``` +api=yes +api-key=(random key) +webserver=yes +``` + +Following this, the API access can be configured in the webgui +![powerdns-admin-api-settings.png](/powerdns-admin-api-settings.png) + +Now you should see all your configured Domains and be able to modify records + +#### Systemd Service +`/etc/systemd/system/powerdns-admin.service` +``` +[Unit] +Description=Powerdns Admin Podman container +[Service] +Restart=always +ExecStart=/usr/bin/podman start -a powerdns-admin +ExecStop=/usr/bin/podman stop -t 10 powerdns-admin +[Install] +WantedBy=multi-user.target +``` + +`# systemctl daemon-reload` +`# systemctl enable --now powerdns-admin` \ No newline at end of file