In my lab I like to use DNS servers rather than hosts files and dnsmasq. In the past I’ve used djbdns but I wanted to learn something new so I’ve decided to have a look at PowerDNS.
PowerDNS runs fine, it’s quite easy to install and has great documentation so here are the steps I’ve followed in my CentOS 7 host using PostgreSQL as the database backend (MariaDB/MySQL is also supported!).
In this post I’m using two PowerDNS servers:
- A DNS authoritative server to answer the DNS requests for my local domain called artemit.local (e.g tornasol.artemit.local)
- A DNS recursive server to answer and save in cache the DNS requests for other domains like those on Internet (e.g google.com).
PowerDNS is available at the EPEL repository:
yum install -y epel-release yum -y install pdns pdns-tools pdns-backend-postgresql pdns-recursor net-tools bind-utils jq
We’ll need to create a postgres database so we’ll use the postgres user and execute some commands from the psql CLI. I’ll name the database pdns.
su - postgres -bash-4.2$ psql psql (9.2.10) postgres=# CREATE DATABASE pdns; CREATE DATABASE postgres=# \q
We’ll load the schema available in the /usr/share/doc folder. When you install the pdns package the version number may have been changed so replace 3.4.4 accordingly:
-bash-4.2$ psql pdns < /usr/share/doc/pdns-backend-postgresql-3.4.4/schema.pgsql.sql
We’ll create a user called pdns and will grant the right permissions. Important!: Replace xxxxxxx with your password 😀
-bash-4.2$ psql postgres=# \c pdns pdns=# CREATE USER pdns WITH PASSWORD 'xxxxxxx'; CREATE ROLE pdns=# GRANT ALL ON DATABASE "pdns" TO pdns; pdns=# GRANT ALL ON ALL TABLES IN SCHEMA public TO pdns; pdns=# GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO pdnsGRANT pdns=#\c postgres postgres=# \q
Let’s close the postgres user session:
-bash-4.2$ exit
We need to edit the following line in the /var/lib/pgsql/data/pg_hba.conf file, and change the ident keyword to trust:
host all all 127.0.0.1/32 trust
Let’s restart the PostgreSQL server:
systemctl restart postgresql.service
Now we’ll modify the /etc/pdns/pdns.conf file adding the following lines at the end, but first let’s explain what we’re doing:
- We’re the database backend. My PostgreSQL server is listening in the 127.0.0.1 IP address by default. The database is named pdns and the user is named pdns too. The pdns password should be changed with the one you’ve set before!
- My server is listening for authoritative DNS requests on the 192.168.4.4 address (local address).
- My server is listening for recursive DNS requests on the 127.0.0.1 address (recursor)
- In my example I’m allowing the hosts on the 192.168.4.0/24 to query my DNS recursive server.
- We’re using a experimental web API to add DNS records. The web API uses by default the changeme password, but you can use another one!
launch=gpgsql allow-recursion=192.168.4.0/24 recursor=127.0.0.1 local-address=192.168.4.4 gpgsql-host=127.0.0.1 gpgsql-dbname=pdns gpgsql-user=pdns gpgsql-password=xxxxxxx experimental-json-interface=yes experimental-api-key=changeme webserver=yes
We also need to add the following entry to the /etc/pdns-recursor/recursor.conf file so recursive queries are allowed for the localhost and the 192.168.4.0/24 network:
allow-from=127.0.0.0/8, 192.168.4.0/24
Now we’ll enable the pdns and pdns-recursor to start at boot time:
systemctl enable pdns.service systemctl enable pdns-recursor.service
Let’s start the services:
systemctl start pdns.service systemctl start pdns-recursor.service
Let’s check the status of both servers:
systemctl -l status pdns.service pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled) Active: active (running) since dom 2015-04-05 18:08:09 CEST; 985ms ago [...] systemctl -l status pdns-recursor.service pdns-recursor.service - PowerDNS recursing nameserver Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled) Active: active (running) since dom 2015-04-05 17:36:27 CEST; 33min ago [...]
Let’s check that both DNS servers are listening on TCP and UDP 53 ports and that the PostgreSQL is being reached by the PowerDNS servers:
netstat -ntuap | grep dns tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 15366/pdns_server tcp 0 0 192.168.4.4:53 0.0.0.0:* LISTEN 15366/pdns_server tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13964/pdns_recursor tcp 0 0 127.0.0.1:34150 127.0.0.1:5432 ESTABLISHED 15366/pdns_server tcp 0 0 127.0.0.1:34147 127.0.0.1:5432 ESTABLISHED 15366/pdns_server tcp 0 0 127.0.0.1:34148 127.0.0.1:5432 ESTABLISHED 15366/pdns_server tcp 0 0 127.0.0.1:34149 127.0.0.1:5432 ESTABLISHED 15366/pdns_server udp 0 0 192.168.4.4:53 0.0.0.0:* 15366/pdns_server udp 0 0 127.0.0.1:53 0.0.0.0:* 13964/pdns_recursor udp 0 0 127.0.0.1:49594 127.0.0.1:53 ESTABLISHED 15366/pdns_server
Let’s open ports in our firewall. My 192.168.4.0/24 is allowed, that’s why I use it as the source address:
firewall-cmd --
permanent
--add-rich-rule='rule family="ipv4" source address="192.168.4.0/24" port port="
53
" protocol="udp" accept'
firewall-cmd --
permanent
--add-rich-rule='rule family="ipv4" source address="192.168.4.0/24" port port="
53
" protocol="
tc
p" accept'
firewall-cmd --
reload
Don’t forget to add or edit the DNS server for your host. For example you can add a DNS1 entry to the network script at /etc/sysconfig/network-scripts/ifcfg-eth0 and change the entry to DNS1=192.168.4.4 or any other IP you’ve set for your PowerDNS server.
Wait a minute! And how I can add entries for my local domain?
There are some web interfaces for PowerDNS but I do love CLI so I’ll using some commands to use the experimental web API to add and edit DNS records. But this post is long enough, continue here to know more.