This paper mainly introduces PowerDNS The main features and configuration method of initialization installation , The focus is on the relatively high degree of complexity PowerDNS Authoritative Server To introduce , At the same time, there will be some PowerDNS-Recursor Initial installation and configuration of .

1、PowerDNS brief introduction

PowerDNS（PDNS） Founded on 20 century 90 End of the decade , It's open source. DNS Software 、 Major providers of service and support , They provide Authoritative certification DNS The server and Recursive authentication DNS The server All are 100% Open source software , At the same time, it also provides paid technical support versions like red hat and other open source solution providers . At the same time, the official said that in order to avoid competition with software users , They only provide service support, not DNS hosted services .

Our Authoritative Server, Recursor and dnsdist products are 100% open source. For the service provider market, OX also sells the PowerDNS Platform which builds on our Open Source products to deliver an integrated DNS solution with 24/7 support and includes features as parental control, malware filtering, automated attack mitigation, and long-term query logging & searching.

be familiar with DNS Students of working principle can roughly describe DNS There are two types of query for records ： Query local cache and Upward recursive query . And others like BIND、dnsmasq And so on DNS The software is different ,PowerDNS Divide it into two , Divided into PowerDNS Authoritative Server and PowerDNS Recursor, Corresponding to these two main requirements respectively , And what we often say pdns Refers to PowerDNS Authoritative Server ( Later referred to as" PDNS Auth), Its main use is as Authoritative domain name server , Of course, it can also be used as a common DNS Provided by the server DNS Query function .

about PowerDNS-Recursor,PowerDNS The official website introduces it as a Built in scripting capabilities High performance DNS recursive query The server , And it has supported 150million Internet connections .

The PowerDNS Recursor is a high-performance DNS recursor with built-in scripting capabilities. It is known to power the resolving needs of over 150 million internet connections.

PowerDNS-Recursor( hereinafter referred to as pdns-rec) You can click on the official document of here see . The official built-in scripting capability refers to 4.0.0 In the configuration file after version, a pair of lua Script support .

2、PowerDNS install

2.1 PowerDNS Authoritative Server install

Here we still use the classic CentOS7 Install and test the system , The relevant version and kernel information of the system are as follows ：

[[email protected] home]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.9.2009 (Core)
Release:        7.9.2009
Codename:       Core
[[email protected] home]# uname -r
3.10.0-1160.11.1.el7.x86_64

pdns It has good support for mainstream operating systems , stay centos It can be directly passed through repo Warehouse to install , Red hat Linux Can pass epel Source ,monshouwer Third party sources and powerdns There are three official sources for installation .

On RedHat based systems there are 3 options to install PowerDNS, from EPEL, the repository from Kees Monshouwer or from the PowerDNS repositories:

Use epel The latest version may not be installed

If network conditions permit , The best way is to go directly through the official repo Source To install , If you are using master Source , You can install to the latest test version ：

yum install epel-release yum-plugin-priorities
curl -o /etc/yum.repos.d/powerdns-auth-master.repo https://repo.powerdns.com/repo-files/centos-auth-master.repo
yum install pdns
yum install pdns-backend-$backend

Here we use the latest stable version 4.4 Version to install ,backend Here we choose pdns-backend-mysql

yum install epel-release yum-plugin-priorities
curl -o /etc/yum.repos.d/powerdns-auth-44.repo https://repo.powerdns.com/repo-files/centos-auth-44.repo
yum install pdns
yum install pdns-backend-$backend

Note that for some package sources ,bind backend As a basic pdns Part of the package provides , And there is no separate pdns-backend-bind software package .

2.2 PowerDNS-Recursor install

Here we still use the classic CentOS7 Install and test the system , The relevant version and kernel information of the system are as follows ：

[[email protected] /home]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.9.2009 (Core)
Release:        7.9.2009
Codename:       Core
[[email protected] /home]# uname -r
3.10.0-1160.24.1.el7.x86_64

pdns It has good support for mainstream operating systems , In red hat tie and CentOS The related distribution versions can be passed between epel Source to install , But the use of epel The latest version may not be installed .

On Red Hat, CentOS and related distributions, ensure that EPEL is available. To install the PowerDNS Recursor, run yum install pdns-recursor as root.

If network conditions permit , The best way is to go directly through the official repo Source To install , If you are using master The branch repo Source , You can install to the latest test version . Official expression master The repository corresponds to where they are github The above is under development master Branch .

yum install epel-release yum-plugin-priorities &&
curl -o /etc/yum.repos.d/powerdns-rec-master.repo https://repo.powerdns.com/repo-files/centos-rec-master.repo &&
yum install pdns-recursor

Of course, we can also provide different versions through the official yum Source to install the corresponding version of pdns, Different versions of branches have different support times , The official statement is that after the life cycle of the corresponding version ends , The corresponding warehouse will no longer provide support ,pdns-rec Of EOL Information can be clicked here see . Due to the present 4.5.x The version is still in rc Stage , So here we still install the latest stable version 4.4.x edition .

yum install epel-release yum-plugin-priorities &&
curl -o /etc/yum.repos.d/powerdns-rec-44.repo https://repo.powerdns.com/repo-files/centos-rec-44.repo &&
yum install pdns-recursor

3、pdns-auth Of mysql Installation configuration

3.1 install mysql

pdns about mysql There are no special requirements for the version and installation method of , The personal recommended version is 5.7+ perhaps 8.0+ Fine , Use here yum install 8.0 Version of mysql.

the latest version mysql Of repo We can download the files directly from the official website ：https://dev.mysql.com/downloads/repo/yum/

If needed 5.7 The version of can be downloaded here

wget http://repo.mysql.com/mysql57-community-release-el7-9.noarch.rpm

[[email protected] /root]# rpm -ivh mysql80-community-release-el7-3.noarch.rpm
[[email protected] /root]# yum update
[[email protected] /root]# yum install mysql-server
[[email protected] /root]# mysqladmin --version
mysqladmin  Ver 8.0.23 for Linux on x86_64 (MySQL Community Server - GPL)

# MYSQL8 Your initial password can be in log View in 
[[email protected] /root]# grep 'temporary password' /var/log/mysqld.log
[[email protected] /root]# mysql -u root -p

3.2 Create user

Next, you need to perform basic database operations , to pdns Create corresponding databases and users and simply set relevant permissions ：

--  Change Password 
ALTER user 'root'@'localhost' IDENTIFIED BY ' Your new password ';
--  Notice the 'localhost' There may also be other parameters , You can use the following command to query ：
select user, host, authentication_string, plugin from mysql.user;

--  Create a mysql The user name of is powerdns, You can only log in locally 
--  Create a mysql The database name of is powerdns, And allow powerdns User access 
CREATE USER 'powerdns'@'localhost' IDENTIFIED BY ' Your new password ';
CREATE DATABASE powerdns;
GRANT ALL ON powerdns.* TO 'powerdns'@'localhost';
FLUSH PRIVILEGES;

--  about MYSQL8 You need to specify an additional encryption method to avoid ERROR 2059 (HY000) The problem of 
ALTER USER 'powerdns'@'localhost' IDENTIFIED WITH mysql_native_password BY ' Your new password ';

3.3 Create data table

The operation of creating a data table is completely in accordance with Official document Conduct , If there is a special need, it can also be modified according to the actual situation ：

CREATE TABLE domains (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255) NOT NULL,
  master                VARCHAR(128) DEFAULT NULL,
  last_check            INT DEFAULT NULL,
  type                  VARCHAR(6) NOT NULL,
  notified_serial       INT UNSIGNED DEFAULT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE UNIQUE INDEX name_index ON domains(name);


CREATE TABLE records (
  id                    BIGINT AUTO_INCREMENT,
  domain_id             INT DEFAULT NULL,
  name                  VARCHAR(255) DEFAULT NULL,
  type                  VARCHAR(10) DEFAULT NULL,
  content               VARCHAR(64000) DEFAULT NULL,
  ttl                   INT DEFAULT NULL,
  prio                  INT DEFAULT NULL,
  disabled              TINYINT(1) DEFAULT 0,
  ordername             VARCHAR(255) BINARY DEFAULT NULL,
  auth                  TINYINT(1) DEFAULT 1,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX ordername ON records (ordername);


CREATE TABLE supermasters (
  ip                    VARCHAR(64) NOT NULL,
  nameserver            VARCHAR(255) NOT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
  PRIMARY KEY (ip, nameserver)
) Engine=InnoDB CHARACTER SET 'latin1';


CREATE TABLE comments (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  name                  VARCHAR(255) NOT NULL,
  type                  VARCHAR(10) NOT NULL,
  modified_at           INT NOT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
  comment               TEXT CHARACTER SET 'utf8' NOT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);


CREATE TABLE domainmetadata (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  kind                  VARCHAR(32),
  content               TEXT,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);


CREATE TABLE cryptokeys (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  flags                 INT NOT NULL,
  active                BOOL,
  published             BOOL DEFAULT 1,
  content               TEXT,
  PRIMARY KEY(id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX domainidindex ON cryptokeys(domain_id);


CREATE TABLE tsigkeys (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255),
  algorithm             VARCHAR(50),
  secret                VARCHAR(255),
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

4、pdns To configure mysql

4.1 mysql Related configuration

# gmysql-host
#  Need to connect mysql Of IP Address , and gmysql-socket Variables are mutually exclusive 

# gmysql-port
#  Need to connect mysql Port number , The default is 3306

# gmysql-socket
#  Need to connect mysql Of UNIX socket Address , and gmysql-host Mutually exclusive 

# gmysql-dbname
#  Database to be connected , Default ：powerdns

# gmysql-user
#  User name to connect to the database , Default ：powerdns

# gmysql-group
#  Groups connected to the database , Default ：client

# gmysql-password
#  Password of the user connecting to the database 

# gmysql-dnssec
#  Is it enabled? dnssec function , Default ：no

# gmysql-innodb-read-committed
#  Use InnoDB Of READ-COMMITTED The transaction isolation , Default ：yes

# gmysql-ssl
#  Open or not SSL Support , Default ：no

# gmysql-timeout
#  Timeout for trying to read the database ,0 To disable , Default ：10

# gmysql-thread-cleanup
#  For some old versions MySQL/MariaDB（ such as RHEL7 Built in version ） There will be memory leaks , Unless the application explicitly reports the end of each thread to the library . Enable gmysql-thread-cleanup tell PowerDNS Called whenever the thread ends mysql_thread_end（）.
#  Only when you are sure that you need to enable this function , Details can be found at https://github.com/PowerDNS/pdns/issues/6231.

4.2 pdns.conf To configure

[[email protected] ~]# cat /etc/pdns/pdns.conf
api=yes
api-key= Yours API-KEY
config-dir=/etc/pdns
write-pid=yes

daemon=no
guardian=no

launch=gmysql
gmysql-host=localhost
gmysql-port=3306
gmysql-dbname= Your database name 
gmysql-user= Your username 
gmysql-password= Your password 

log-dns-details=yes
log-dns-queries=yes
log-timestamp=yes
loglevel=9
logging-facility=0
log-timestamp=yes

setgid=root
setuid=root

webserver=yes
webserver-address=192.168.100.100
webserver-loglevel=detailed
webserver-port=8081
# webserver-allow-from Specify to allow access to webserver and API Of IP White list , Multiple IP English commas can be used to separate 
webserver-allow-from=192.168.100.0/24
# pdns The address the service is listening to , Multiple IP English commas can be used to separate 
local-address=192.168.100.100
query-local-address=192.168.100.100

4.3 pdns-rec To configure

pdns-rec In addition to the default file name and a few special configuration items , Most other configurations are similar to pdns-auth Agreement , I won't elaborate here .

[[email protected] /etc/pdns-recursor]# realpath recursor.conf
/etc/pdns-recursor/recursor.conf

5、pdns Log processing

Relevant documents on the official website can be clicked here see ,debug At this stage, we set the log level to the highest 9, To avoid missing important information , We write logs to different files at different levels .

modify centos Corresponding rsyslog Configure the file and restart the service

# mkdir -p /etc/pdns/logs

# cat /etc/rsyslog.conf | grep pdns
local0.info                       /etc/pdns/logs/pdns.info.log
local0.warn                       /etc/pdns/logs/pdns.warn.log
local0.err                        /etc/pdns/logs/pdns.err.log

systemctl restart rsyslog.service

modify pdns Of systemd Of unit file , Disable the inside syslog Remove parameters , At the same time, other redundant control options are also removed , Centralize all kinds of parameter settings to pdns.conf In file , It is convenient for later management and operation and maintenance .

vim /usr/lib/systemd/system/pdns.service

#  Replace all the original startup parameters 
# ExecStart=/usr/sbin/pdns_server --socket-dir=%t/pdns --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
#  Replace with 
ExecStart=/usr/sbin/pdns_server --socket-dir=%t/pdns

systemctl daemon-reload

6、pdns-auth Of API request

PDNS Provides API function , When making a request, you should pay attention to the correct carrying of... In the configuration api-key, Otherwise, the correct result will not be returned , It shows 401 Unauthorized error .

[[email protected] ~]# curl -v http://192.168.100.100:8081/api/v1/servers
*   Trying 192.168.100.100...
* TCP_NODELAY set
* Connected to 192.168.100.100 (192.168.100.100) port 8081 (#0)
> GET /api/v1/servers HTTP/1.1
> Host: 192.168.100.100:8081
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Connection: close
< Content-Length: 12
< Content-Type: text/plain; charset=utf-8
< Server: PowerDNS/4.4.0
< Www-Authenticate: X-API-Key realm="PowerDNS"
<
* Closing connection 0
Unauthorized

If the request is correct, it will return json Format information .

[[email protected] ~]# curl -v -H 'X-API-Key:  The configuration of the api-key' http://192.168.100.100:8081/api/v1/servers
*   Trying 192.168.100.100...
* TCP_NODELAY set
* Connected to 192.168.100.100 (192.168.100.100) port 8081 (#0)
> GET /api/v1/servers HTTP/1.1
> Host: 192.168.100.100:8081
> User-Agent: curl/7.61.1
> Accept: */*
> X-API-Key:  The configuration of the api-key
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Connection: close
< Content-Length: 249
< Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
< Content-Type: application/json
< Server: PowerDNS/4.4.0
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Permitted-Cross-Domain-Policies: none
< X-Xss-Protection: 1; mode=block
<
* Closing connection 0
[{
    "config_url": "/api/v1/servers/localhost/config{/config_setting}", "daemon_type": "authoritative", "id": "localhost", "type": "Server", "url": "/api/v1/servers/localhost", "version": "4.4.0", "zones_url": "/api/v1/servers/localhost/zones{/zone}"}]

7、DNS analysis

about pdns-rec for , Is a simple recursive query （Recursor）, It caches the data queried upward according to the set cache time DNS Record .

Theoretically PDNS Auth You can only query what you already have DNS Record , If it does not exist, it will directly return null , Instead of continuing up recursive queries . Here we use a light-weight DNS The server dnsmasq As a contrast , Neither has manually added any DNS Parsing records .

From the above test results, we can see pdns auth Only the records existing in your own database will be returned . So we manually add records to pdns And then you can query .

Here we use pdnsutil Tools to simply test , First of all, we simply create a about example.org Of zone, Then we create about example.org One of A Record and MX Record , Then use dig Command to test ：

[[email protected] pdns]# pdnsutil create-zone example.org ns1.example.com
Feb 24 16:54:48 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Feb 24 16:54:48 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Creating empty zone 'example.org'
Feb 24 16:54:48 No serial for 'example.org' found - zone is missing?
Also adding one NS record

[[email protected] pdns]# pdnsutil list-all-zones
Feb 24 16:54:59 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Feb 24 16:54:59 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
tinychen.com
example.org

[[email protected] pdns]# pdnsutil add-record example.org '' MX '25 mail.example.org'
Feb 24 16:55:36 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Feb 24 16:55:36 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
New rrset:
example.org. 3600 IN MX 25 mail.example.org

[[email protected] pdns]# pdnsutil add-record example.org. www A 192.168.100.100
Feb 24 16:56:09 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
Feb 24 16:56:09 gmysql Connection successful. Connected to database 'powerdns' on 'localhost'.
New rrset:
www.example.org. 3600 IN A 192.168.100.100

Similarly, we are right tinychen.com Do the same thing , You can see that the corresponding IP 了 .

From the above figure, we can see the corresponding tinychen.com The domain name resolution records are manually set IP value .