4.5 KiB
title | media_order |
---|---|
PowerDNS | powerdns-admin-api-settings.png |
[toc]
Installation
For the autoriative server install this package
# apt install pdns-server
This is the PowerDNS resolver package
# apt install pdns-recursor
Different Backends can be installed on Debian
Mysql Backend
# apt install pdns-backend-mysql mariadb-server
Configuration Authoritative Server
Set the backend you chose in the launch=
option of PowerDNS' configuration file.
The config can be found under /etc/powerdns/pdns.conf
For MySQL I chose launch=gmysql
Add the following parameters below launch=gmysql
gmysql-host=127.0.0.1
gmysql-socket=/run/mysqld/mysqld.sock
gmysql-user=(user)
gmysql-password=(password)
gmysql-dbname=pdns
# Add this for dnssec support
gmysql-dnssec=yes
Prepare database
# mariadb -u root -p
CREATE DATABASE pdns;
GRANT ALL ON pdns.* TO 'pdns'@'localhost' IDENTIFIED BY '<password>';
Import the schema utilised by PowerDNS. This can be done with the user you just created
$ mysql -u pdns -p pdns < /usr/share/doc/pdns-backend-mysql/schema.mysql.sql
# systemctl restart pdns
Zones
Create Zone and add a name server
# pdnsutil create-zone (domain) ns1.(domain)
Add "A"-Record. Mind the (.) after the domain
"Name" is the hostname you wish to assign.
# pdnsutil add-record (domain). (name) A (ip address)
Dynamic DNS
# apt install bind9utils
Generate key
# dnssec-keygen -a hmac-md5 -b 128 -n USER (keyname)
Edit the configuration file and change dnsupdate=no
to dnsupdate=yes
and set allow-dnsupdate-from=
to empty.
Allow updates from your DHCP server
# pdnsutil set-meta (domain) ALLOW-DNSUPDATE-FROM (dhcp server ip)
If you set up a reverse-zone, also allow that
# pdnsutil set-meta (reverse ip).in-addr.arpa ALLOW-DNSUPDATE-FROM (dhcp server ip)
Import the key
# pdnsutil import-tsig-key (keyname) hmac-md5 (key)
Enable for domain
# pdnsutil set-meta (domain) TSIG-ALLOW-DNSUPDATE (keyname)
And for reverse-zone
# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)
You also have to configure the DHCP server to provide updates, see the DHCP article
Testing with nsupdate
# nsupdate -k Kdhcpdupdate.+157+12673.key
> server 127.0.0.1 5300
> zone testpdns
> update add test.testpdns 3600 A 192.168.7.10
> send
Configuration Recursive Resolver
The config file can be found under /etc/powerdns/recursor.conf
In /etc/powerdns/pdns.conf
set local-address=127.0.0.1
and local-port=5300
to allow the recursor to run on port 53
In /etc/powerdns/recursor.conf
set forward-zones=(domain)=127.0.0.1:5300
to forward queries for that domain to the authoritative DNS
Also set local-address
and allow-from
To bind to all interfaces, use local-address=::,0.0.0.0
Wipe Cache
# rec_control wipe-cache $
DNSSEC
Authoritative Server
TODO
Recursor Server
To fully enable DNSSEC, set dnssec=process-no-validate
to dnssec=validate
To allow a domain without DNSSEC, modify /etc/powerdns/recursor.lua
Add addNTA('(domain)')
to disable DNSSEC for the selected domain.
Show domains with disabled DNSSEC
# rec_control get-ntas
WebGUI
PowerDNS-Admin
# mkdir /etc/pda-data
# chmod 777 -R /etc/pda-data
# podman run -d \
--name powerdns-admin \
-e SECRET_KEY='q5dNwUVzbdn6gc7of6DvO0syIhTHVq1t' \
-v /etc/pda-data:/data \
--net=host \
docker://ngoduykhanh/powerdns-admin:latest
Enabling API
A few settings in /etc/powerdns/pdns.conf
need to be changed.
api=yes
api-key=(random key)
webserver=yes
Following this, the API access can be configured in the webgui
Now you should see all your configured Domains and be able to modify records
Systemd Service
/etc/systemd/system/powerdns-admin.service
[Unit]
Description=Powerdns Admin Podman container
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a powerdns-admin
ExecStop=/usr/bin/podman stop -t 10 powerdns-admin
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable --now powerdns-admin