Ben's notes

PowerDNS on CentOS 7

Recursor and Authoritative Server on one server.

OS: CentOS 7.x
EPEL repository
Backend: MySQL
If you are upgrading, read https://doc.powerdns.com/md/authoritative/upgrading/
PowerDNS Installation manual: https://doc.powerdns.com/md/authoritative/installation/

Note: if you are using IPv6 or DNSSEC, then also open port 53/tcp

Install PowerDNS and backend

yum install epel-release
yum install bind-utils pdns pdns-recursor pdns-backend-mysql mariadb mariadb-server

Start at boot:

systemctl enable mariadb 
systemctl enable pdns
systemctl enable pdns-recursor

Secure MariaDB installation:

systemctl start mariadb
/usr/bin/mysql_secure_installation

Create database

Change password below!!

mysqladmin -u root -p create powerdns 
mysql -u root -p

create user 'powerdns'@'localhost' identified by 'password';
grant all privileges on powerdns.* to 'powerdns'@'localhost';
flush privileges;
use powerdns;

CREATE TABLE domains (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255) NOT NULL,
  master                VARCHAR(128) DEFAULT NULL,
  last_check            INT DEFAULT NULL,
  type                  VARCHAR(6) NOT NULL,
  notified_serial       INT DEFAULT NULL,
  account               VARCHAR(40) DEFAULT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB;

CREATE UNIQUE INDEX name_index ON domains(name);


CREATE TABLE records (
  id                    INT AUTO_INCREMENT,
  domain_id             INT DEFAULT NULL,
  name                  VARCHAR(255) DEFAULT NULL,
  type                  VARCHAR(10) DEFAULT NULL,
  content               VARCHAR(64000) DEFAULT NULL,
  ttl                   INT DEFAULT NULL,
  prio                  INT DEFAULT NULL,
  change_date           INT DEFAULT NULL,
  disabled              TINYINT(1) DEFAULT 0,
  ordername             VARCHAR(255) BINARY DEFAULT NULL,
  auth                  TINYINT(1) DEFAULT 1,
  PRIMARY KEY (id)
) Engine=InnoDB;

CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX recordorder ON records (domain_id, ordername);


CREATE TABLE supermasters (
  ip                    VARCHAR(64) NOT NULL,
  nameserver            VARCHAR(255) NOT NULL,
  account               VARCHAR(40) NOT NULL,
  PRIMARY KEY (ip, nameserver)
) Engine=InnoDB;


CREATE TABLE comments (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  name                  VARCHAR(255) NOT NULL,
  type                  VARCHAR(10) NOT NULL,
  modified_at           INT NOT NULL,
  account               VARCHAR(40) NOT NULL,
  comment               VARCHAR(64000) NOT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB;

CREATE INDEX comments_domain_id_idx ON comments (domain_id);
CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);


CREATE TABLE domainmetadata (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  kind                  VARCHAR(32),
  content               TEXT,
  PRIMARY KEY (id)
) Engine=InnoDB;

CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);


CREATE TABLE cryptokeys (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  flags                 INT NOT NULL,
  active                BOOL,
  content               TEXT,
  PRIMARY KEY(id)
) Engine=InnoDB;

CREATE INDEX domainidindex ON cryptokeys(domain_id);


CREATE TABLE tsigkeys (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255),
  algorithm             VARCHAR(50),
  secret                VARCHAR(255),
  PRIMARY KEY (id)
) Engine=InnoDB;

CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

Configure MySQL binlog

Add the binlog_format=ROW line to /etc/my.cnf.d/server.cnf.

[server]
binlog_format=ROW

Configure PowerDNS

Edit /etc/pdns/pdns.conf If you use the backend for replication, don't use master=yes!

allow-axfr-ips=<IPs allowed axfr>
allow-recursion=<IPs allowed recursion>
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=<yourdbuser>
gmysql-password=<yourdbpassword>
gmysql-dbname=powerdns
local-address=<yourserverIPs>
local-port=53
master=yes
recursor=127.0.0.1:5353
setgid=pdns
setuid=pdns
webserver=yes
webserver-address=<bindipaddress>
webserver-password=<yourpassword>
webserver-port=8081

Start PowerDNS

systemctl start pdns

Configure recursor

/etc/pdns-recursor/recursor.conf

setuid=pdns-recursor
setgid=pdns-recursor
allow-from=127.0.0.0/8
local-address=127.0.0.1
local-port=5353

Start recursor

systemctl start pdns-recursor

Test Recursor

host ping.xs4all.nl 127.0.0.1

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

ping.xs4all.nl has address 194.109.6.8
ping.xs4all.nl has IPv6 address 2001:888:0:25:194:109:21:66

Configure iptables

Open port tcp/8081 for PowerDNS webstats (if not using localhost address)
Open port tcp/53 and udp/53 for DNS traffic

Table of Contents