Denis Machard

My technical gists

Infrastructure architect by profession but always consider himself as a developer and an open source enthusiast.
@github @mastodon @rss
dns powerdns

Authoritary PowerDNS installation on CentOS

PowerDNS authoritary servers installation on *CentOS 7 with sqlite database

Installation

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install epel-release
yum --enablerepo=epel install luajit libsodium
yum --enablerepo=epel install jq

curl -o /etc/yum.repos.d/powerdns-auth-42.repo https://repo.powerdns.com/repo-files/centos-auth-42.repo
yum install pdns pdns-tools pdns-backend-sqlite


wget https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gsqlite3backend/schema.sqlite3.sql


mkdir /var/db/pdns
sqlite3 /var/db/pdns/pdns.db
.read schema.sqlite3.sql
.quit

chown -R pdns:pdns /var/db/pdns

Configuration

vim /etc/pdns/pdns.conf

version-string=anonymous
setuid=pdns
setgid=pdns

local-ipv6=

launch=gsqlite3
gsqlite3-database=/var/db/pdns/pdns.db

webserver=yes
webserver-address=0.0.0.0
webserver-port=8081
webserver-allow-from=127.0.0.0/8,10.0.0.0/24

api=on
api-key=test

master=yes

dnsupdate=yes

local-address=0.0.0.0
local-port=5300

log-dns-details=on
log-dns-queries=yes
log-timestamp=yes
loglevel=4

security-poll-suffix=
allow-dnsupdate-from=

Start server

systemctl enable pdns.service
systemctl start pdns.service

Manage configuration

Manage configuration with pdnsutil command

  • Add a new zone
pdnsutil create-zone home.local
pdnsutil create-zone home.local ns1.home.local

pdnsutil add-record home.local ns1 A 3600 10.0.0.71
  • Add a new resource record
pdnsutil add-record home.local ea A 300 10.0.0.72
  • List all zones
pdnsutil list-all-zones
  • Delete a zone
pdnsutil delete-zone home.local
  • Delete a resource record
pdnsutil delete-rrset home.local ea A
  • Update resource record
pdnsutil replace-rrset home.local ea A 3600 10.0.0.1
  • Edit a zone
export EDITOR=vim
pdnsutil edit-zone home.local

Cache purge entries

pdns_control purge test1.home.local

DNS-UPDATE (RFC2136)

Activation

  • Generate the tsig key for the domain to securize
pdnsutil generate-tsig-key homelocal_update hmac-md5
  • Activate the key in the domain
pdnsutil set-meta home.local TSIG-ALLOW-DNSUPDATE homelocal_update
  • Authorize just some network to make update in the zone
pdnsutil set-meta home.local ALLOW-DNSUPDATE-FROM 10.0.0.0/24
  • Activate notification to slave server on each update
pdnsutil set-meta home.local NOTIFY-DNSUPDATE 1
  • Display all TSIG keys
pdnsutil list-tsig-keys

Testing DNS UPDATE

  • Create the file dnsupdate.txt with the following content
server <pdns_ip_address> <pdns_port>
zone home.local
update add test1.home.local 3600 A 10.0.0.140
key <key_name> <tsig_key>
show
send
  • Execute the nsupdate command to make the update in the zone
nsupdate -v dnsupdate.txt

GSLB feature

  • Update the configuration to activate LUA
enable-lua-records=yes
  • Return time with TXT type
pdnsutil add-record time.gslb.test time LUA 0 'TXT "os.date()"'

dig @10.0.0.235 -t txt time.gslb.test +short
"Mon Oct 14 16:05:06 2019"
  • Return random IP with round robin
pdnsutil add-record gslb.test roundrobin LUA 0 "A 
\"pickrandom({'10.0.0.1','10.0.0.2','10.0.0.3','10.0.0.4'})\""
  • Return specific IP accord to the result of TCP monitor. If all backends are down, then the complete list is returned otherwhise just one server is returned in random mode.
pdnsutil add-record gslb.test tcp LUA 0 "A 
\"ifportup(80,{'10.0.0.1', '10.0.0.2'}, {selector='random',backupSelector='all'})\""
  • Return specific IP accord to the result of HTTP monitor. An URL is currently considered UP if the HTTP response codeis equal to 200. The checks are performed sequentially, with aminimum delay of 5 seconds.
pdnsutil add-record gslb.test http LUA 0 "A 
\"ifurlup('http://home.local', {'10.0.0.1','10.0.0.2'}, 
{selector='random', backupSelector='all',stringmatch='UP'})\""

Play with REST API

  • Get all zones
curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost
  • Get a specific zone
curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local
  • Generate a TSIG key
curl -s -X POST -H "X-API-Key: dns" -H "Content-Type: application/json" 
-d '{"name": "mytsigkey2", "algorithm": "hmac-sha256"}' 
http://127.0.0.1:8082/api/v1/servers/localhost/tsigkeys
  • Get metadata for a specific zone
curl -s -H 'X-API-Key: dns' http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata
  • Delete metadata
curl -s -X DELETE -H 'X-API-Key: dns'
http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata/ALLOW-DNSUPDATE-FROM
  • Add metadata
curl -s -X POST -H 'X-API-Key: dns' -H "Content-Type: application/json" -d "@restapi_metadata.json"
http://127.0.0.1:8082/api/v1/servers/localhost/zones/home.local/metadata
  • Update RR
curl -s -X PATCH -H "X-API-Key: dns" -d '{"rrsets": [{"name": "test1.home.local.", "type": "A",
"changetype": "REPLACE", "records": [{"content": "3.100.10.72", "disabled": false}],
"ttl": 3600}]}' http://10.0.0.235:8082/api/v1/servers/localhost/zones/home.local.
propulsed by hugo and hugo-theme-gists