Exploring PowerDNS
Power Zone
PowerDNS [1] is an amazing, feature-rich and versatile domain name system (DNS) server solution. Originally created by PowerDNS.com BV as a commercial product, it was later opened up and licensed under the GPL. Today, PowerDNS thrives with both commercial [2] and community contributions, making it an outstanding DNS server alternative.
DNS, of course, is the distributed, hierarchical naming system that allows us to map what would be IP addresses to much more humanly digestible addresses. Thankfully, we no longer live in the early days of the Arpanet (precursor to today's Internet), where we had to transfer large host files from node to node. Its compact codebase and focus on security, scalability, and reliability make PowerDNS a great nameserver choice; it is jam packed with features that would impress any network or sys admin (Table 1).
Table 1
PowerDNS Features
Authoritative DNS server (hosting) |
Resolving DNS server (caching) |
API to provision zones and records |
DNSSEC support (as of 3.x) |
Web-based management options |
DNS data stored in plain text (BIND compatible) |
IPv4 and IPv6, UDP/TCP, 100% compliant [3] |
MySQL, PostgreSQL, Microsoft SQL Server, Oracle, Sybase database back ends |
Load balancing/failover algorithms |
SNMP support |
Remotely pollable statistics for real-time graphing |
Optional built-in web server |
Debugging tools |
Support for Linux, BSD, Unix |
PowerDNS Key Components
PowerDNS has two key distinct components: the authoritative server and the recursor. Other DNS servers combine these roles into one, but PowerDNS holds them separately, and you can configure PowerDNS as either option. An authoritative name server is just what it sounds like: It is the original and conclusive source of DNS zone information for a particular domain, where a zone is merely a portion or set of administrative space. Authoritative domain servers are of two types: primary and secondary.
- The primary name server is sometimes called a master server, which is the original and definitive source for all zone records for a domain.
- The secondary name server, often called a slave server, is an identical replica used to provide redundancy and high availability.
The PowerDNS recursor , on the other hand, simply provides caching or a standalone recursive resolver for clients accessing your network or the greater Internet (i.e., it is your first line of DNS for client machines). Recall that it isn't authoritative but simply provides query resolution to the network client resolver (the client-side portion used to perform DNS queries) on your local machine. The PowerDNS recursor supports:
- All relevant standards
- Advanced anti-spoofing measures
- Reconfiguration without downtime
- Plain BIND zone files for "resolved hosting"
- Question interception, answer reconditioning, NXDOMAIN redirection (including "block lists" and security measures)
- The
rec_control
utility, an API for direct control of the PowerDNS recursor and for data output to MRTG and RDD for pretty network graphs - Local and remote access
- DNS64
Another PowerDNS component is the supermaster /superslave feature set, which allows you to automate the provisioning of slaves. Superslaves can configure themselves automatically as a slave for a zone when they receive notification from a known supermaster.
PowerDNS Back Ends
It is important to note that PowerDNS has many back-end configuration options to hold zone data. It can use static BIND compatibility configuration files or a number of popular databases – so many, in fact, that one could easily write an entire book on each. As such, I will limit my coverage herein to its use with a PowerDNS server with BIND-compatible configuration and a MySQL back end with the Poweradmin [4] web GUI configuration. Because of scope constraints and the well-documented nature of the project, I'm sure you will be able to build configurations as needed.
Installing and Patching Ubuntu Server
For this portion of the article, I'll assume you've installed Ubuntu Server 12.04 LTS and updated and patched fully with:
sudo aptitude update && aptitude dist-upgrade
Moving forward, I want to automate updates for my PowerDNS server. To do so, I will use the unattended-upgrades package for Ubuntu Server 12.04 LTS:
sudo aptitude install unattended-upgrades
If you chose to load security updates when setting up Ubuntu, this package will already be installed. Configure it by uncommenting and changing the items in Listing 1 in the configuration file.
Listing 1
Configuring unattended-upgrades
primary:~$nano /etc/apt/apt.conf.d/50unattended-upgrades // Automatically upgrade packages from these (origin:archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "username@yourdomain.com";
Next, edit the file /etc/apt/apt.conf.d/10periodic
to check for updates once a day:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
Be aware that all unattended upgrades are logged in /var/log/unattended-upgrades
, so you might want to review it periodically, along with your other logs. Additionally, you could do much the same with the commercial, and more feature-rich, Ubuntu Landscape. Now that the base system is set, you can fire up your first install of PowerDNS.