Exploring PowerDNS
Power Zone
Logging In to Poweradmin
To access your Poweradmin server, go to http://primary/Poweradmin/index.php . Once there, you should add your master zone by clicking Add master zone in the initial login screen (Figure 5), add the information required for your base domain, and click Add zone (Figure 6). From here, click on List zones (Figure 7) and then Edit an existing example.com zone, as in Figure 8. As you can see, the GUI is very simple and will guide you through the process of creating your basic required DNS records. Once done, go back to the same domain and add any additional records you would like.
Redundancy
Redundancy is a must. Like any service as vital as DNS, you should build redundancy into your infrastructure – which means at least two or more of everything – or else you will need much more than two aspirins to deal with the headaches caused by downtime. In the case of PowerDNS, that means two or three DNS servers. If you are using a database back end, you should not have a single back end for your entire infrastructure; rather, you should match them up with one back end per PowerDNS server.
DNS and Security
DNS is a commonly exploited service, which means you need to take your time in the engineering stages to deploy it properly. Unfortunately, DNS has supernumerary attack vectors. The risks to a service as critical as DNS to the functioning of your network are many, but you can take some simple steps to ameliorate this:
Patch, Patch, Patch. As silly as it sounds, some people don't believe or invest in automating patch management; however, doing so will solve quite a few issues.
Split Servers Across Networks. Placing all your DNS servers on a single network space could be highly problematic if that core router dies or that network suffers a distributed denial of service attack. Split your servers across several, properly redundant and fault-tolerant network/server infrastructures.
Set Up Firewalls. Although firewalls are by no means perfect, they are still good practice. Firing up iptables on your DNS box will at the very least add additional layers to keep out those with malicious intent. Besides, thinking about ingress and egress rules with network services is always a good discipline. One option in Ubuntu is to use its "uncomplicated firewall" tool, which helps you create iptables rules in a rather simple fashion. For my example, I create the following uncomplicated firewall rules:
sudo ufw enable primary:~$ufw logging on primary:~$ufw default deny primary:~$ufw allow 22/tcp primary:~$ufw allow 80/tcp primary:~$ufw allow 53/udp primary:~$ufw allow 53/tcp primary:~$ufw status
Of course, if you are more comfortable doing this with iptables, go right ahead. More stringent rules might be in order, depending on your environment and goals.
Explore and Deploy TSIG/TKEY and DNSSEC. Use TSIG/TKEY [6] [7] for securing zone transfers and deploy DNSSEC [8] to help protect against cache poisoning. Copious documentation [9] is available on these features.
I'm a big proponent of thinking of security as a priority in every aspect of Information Technology, and I see a rising consciousness of its importance. When you build with security as step 0, your problem set is reduced dramatically.