Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss
    dns powerdns

    Authoritary PowerDNS installation on CentOS

    PowerDNS authoritary servers installation on *CentOS 7 with sqlite database

    Installation

    wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install epel-release
yum --enablerepo=epel install luajit libsodium
yum --enablerepo=epel install jq

curl -o /etc/yum.repos.d/powerdns-auth-42.repo https://repo.powerdns.com/repo-files/centos-auth-42.repo
yum install pdns pdns-tools pdns-backend-sqlite


wget https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gsqlite3backend/schema.sqlite3.sql


mkdir /var/db/pdns
sqlite3 /var/db/pdns/pdns.db
.read schema.sqlite3.sql
.quit

chown -R pdns:pdns /var/db/pdns

    Configuration

    vim /etc/pdns/pdns.conf

version-string=anonymous
setuid=pdns
setgid=pdns

local-ipv6=

launch=gsqlite3
gsqlite3-database=/var/db/pdns/pdns.db

webserver=yes
webserver-address=0.0.0.0
webserver-port=8081
webserver-allow-from=127.0.0.0/8,10.0.0.0/24

api=on
api-key=test

master=yes

dnsupdate=yes

local-address=0.0.0.0
local-port=5300

log-dns-details=on
log-dns-queries=yes
log-timestamp=yes
loglevel=4

security-poll-suffix=
allow-dnsupdate-from=

    Start server

    systemctl enable pdns.service
systemctl start pdns.service

    Manage configuration

    Manage configuration with pdnsutil command

    • Add a new zone
    pdnsutil create-zone home.local
pdnsutil create-zone home.local ns1.home.local

pdnsutil add-record home.local ns1 A 3600 10.0.0.71
    • Add a new resource record
    pdnsutil add-record home.local ea A 300 10.0.0.72
    • List all zones
    pdnsutil list-all-zones
    • Delete a zone
    pdnsutil delete-zone home.local
    • Delete a resource record
    pdnsutil delete-rrset home.local ea A
    • Update resource record
    pdnsutil replace-rrset home.local ea A 3600 10.0.0.1
    • Edit a zone
    export EDITOR=vim
pdnsutil edit-zone home.local

    Cache purge entries

    pdns_control purge test1.home.local

    DNS-UPDATE (RFC2136)

    Activation

    • Generate the tsig key for the domain to securize
    pdnsutil generate-tsig-key homelocal_update hmac-md5
    • Activate the key in the domain
    pdnsutil set-meta home.local TSIG-ALLOW-DNSUPDATE homelocal_update
    • Authorize just some network to make update in the zone
    pdnsutil set-meta home.local ALLOW-DNSUPDATE-FROM 10.0.0.0/24
    • Activate notification to slave server on each update
    pdnsutil set-meta home.local NOTIFY-DNSUPDATE 1
    • Display all TSIG keys
    pdnsutil list-tsig-keys

    Testing DNS UPDATE

    • Create the file dnsupdate.txt with the following content
    server <pdns_ip_address> <pdns_port>
zone home.local
update add test1.home.local 3600 A 10.0.0.140
key <key_name> <tsig_key>
show
send
    • Execute the nsupdate command to make the update in the zone
    nsupdate -v dnsupdate.txt

    GSLB feature

    • Update the configuration to activate LUA
    enable-lua-records=yes
    • Return time with TXT type
    pdnsutil add-record time.gslb.test time LUA 0 'TXT "os.date()"'

dig @10.0.0.235 -t txt time.gslb.test +short
"Mon Oct 14 16:05:06 2019"
    • Return random IP with round robin
    pdnsutil add-record gslb.test roundrobin LUA 0 "A 
\"pickrandom({'10.0.0.1','10.0.0.2','10.0.0.3','10.0.0.4'})\""
    • Return specific IP accord to the result of TCP monitor. If all backends are down, then the complete list is returned otherwhise just one server is returned in random mode.
    pdnsutil add-record gslb.test tcp LUA 0 "A 
\"ifportup(80,{'10.0.0.1', '10.0.0.2'}, {selector='random',backupSelector='all'})\""
    • Return specific IP accord to the result of HTTP monitor. An URL is currently considered UP if the HTTP response codeis equal to 200. The checks are performed sequentially, with aminimum delay of 5 seconds.
    pdnsutil add-record gslb.test http LUA 0 "A 
\"ifurlup('http://home.local', {'10.0.0.1','10.0.0.2'}, 
{selector='random', backupSelector='all',stringmatch='UP'})\""

    Play with REST API

    • Get all zones
    curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost
    • Get a specific zone
    curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local
    • Generate a TSIG key
    curl -s -X POST -H "X-API-Key: dns" -H "Content-Type: application/json" 
-d '{"name": "mytsigkey2", "algorithm": "hmac-sha256"}' 
http://127.0.0.1:8082/api/v1/servers/localhost/tsigkeys
    • Get metadata for a specific zone
    curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata
    • Delete metadata
    curl -s -X DELETE -H 'X-API-Key: dns'
http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata/ALLOW-DNSUPDATE-FROM
    • Add metadata
    curl -s -X POST -H 'X-API-Key: dns' -H "Content-Type: application/json" -d "@restapi_metadata.json"
http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata
    • Update RR
    curl -s -X PATCH -H "X-API-Key: dns" -d '{"rrsets": [{"name": "test1.home.local.", "type": "A",
"changetype": "REPLACE", "records": [{"content": "3.100.10.72", "disabled": false}],
"ttl": 3600}]}' http://10.0.0.235:8082/api/v1/servers/localhost/zones/home.local.
    propulsed by hugo and hugo-theme-gists