External PowerDNS Server Configuration

[mediumfriedchips]

Hello

I have set up an external PowerDNS Zone that I would like to run instead of the DirectAdmin DNS Zone, so let me explain

The PowerDNS is running okay, I have a master and a slave (2 different locations) and so I have disabled access to the clients from accessing the direct admin DNS zone editor as I would like them to only manage the zones from the external DNS zone editor I get for them.

So the issue I am facing is that the zones that are created from the direct admin DNS zone (e.g when someone creates a new subdomain) the records are pushed to the external PowerDNS server but it overwrites everything and changes the SOA as well as the nameservers of the domain in the powerDNS installation .

What I want is it to only copy the modified zones except the nameservers as well as the SOA records.

Any ideas how I can resolve this ?

 

[kristian]

Maybe I'm misunderstanding your problem, but if your DA servers already push the zones to your PowerDNS servers, why not make DA the hidden master (very common setup) and make sure the settings in the zone in DA is correct in regards to NS and SOA records? That way you'll only need to access DA for all the setup needs including DNS.

 

[Driesp]

Indeed, I can confirm what kristian says.

In our network, the DirectAdmin servers are dns master.
They hold the correct DNS zones, users can change their zones via DirectAdmin.

Our powerdns servers are the slave servers (or autoprimary as it is called in powerdns terms).

Kr
Dries

 

[Richard G]

@Driesp or @Active8 do you know any easy to set up guide (preferable in Dutch) for PowerDNS? Or just look at Youtube video's?
What is best to use (uses less resources) mysql or postrgresql or something?
I also wonder if we can run it on a same small server as Directslave can or if it requires more resources.

 

[Active8]

@Richard G I had used this guide and this one in the past to setup PowerDNS on an cheap VPS

After install is finished( including PowerAdmin GUI) :

1. Alter the NS template for the 3th nameserver like mentioned here:

General DNS | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

2. I made this change in config pdns: (/etc/pdns/pdns.conf)
slave=yes
master=no
disable-axfr=yes
slave-cycle-interval=60

3. Added : Config vhost : (/etc/httpd/conf/httpd.conf)

<VirtualHost *:80>
ServerName ns3.myservername.nl
DocumentRoot /var/www/html
</VirtualHost>

4. Add an A (and AAAA if you are using ipv6) record for ns3 in myservername.nl dns
e.g. NS3 A 185.185.185.185
(for new sites this will be added automatically because of the ns template)

5. Add this in named.conf of your DA server :
// Eigen DNS BEGIN
allow-transfer {185.185.185.185; };
notify yes;
also-notify {185.185.185.185; };

Where the 185.185.185.185 is the ip adres of your PowerDNS server

6. Add your server in the "Supermasters" section of PowerDNS and you are good to go

7. For the security I have installed CSF with restrictions, I can share the setup by PM if needed

 

[Richard G]

Great, thanks @Active8 I will have a look at it and see if I can use it too instead of Directslave maybe. If PDNS is not using too many resources.
Got 8 GB ram and 200 GB disk space and I believe 4 vCpu cores.

 

[Active8]

if PDNS is not using too many resources.

This is working on a VPS with 1 vcore and 756 MB with 15 GB HD space so dont bother the resources

 

[Richard G]

Oh LoL indeed. thanks!

@mediumfriedchips sorry for the short off-topic part in your topic.

 

[Driesp]

In addition to active8's configuration examples.
If you use IPv6 dualstack for your nameservers, you need to use 'notify explicit' in place of 'notify yes'.
Notify explicit will only notify explicitly to the IP addresses listed in also-notify.
I am using ipv4 only for notifications and dns zone transfers.
If you use notify yes, bind could notify over ipv6, and in that case you need to specify the IPv6 addresses in the supermasters mysql table of the pdns server.

This is my pdns.conf configuration file.

daemon=yes

launch=gmysql
gmysql-host=localhost
gmysql-user=your-mysql-username-here
gmysql-password=your-mysql-password-here
gmysql-dbname=your-mysql-database-here

secondary=yes
autosecondary=yes
allow-axfr-ips=127.0.0.1
disable-axfr=yes

local-address=0.0.0.0,::
max-tcp-connections=100

version-string=anonymous

webserver=yes
webserver-address=::
webserver-password=change-password-here
webserver-port=8080
webserver-allow-from=your-ip-range-here

I am also using packet cache and query cache.
Only use this if you know what you are doing. Because you need to run a cronscript to purge the cache when a zone transfer has happened.
A packet cache and query cache prevents your server to go down when a DDOS happens.
A DDOS could overload your mysql backend quickly. A cache like this configuration will help to a degree.