PowerDNS isn’t working as expected (migration from bind)

binddebian-wheezydomain-name-systempowerdns

I am migrating our office DNS servers to powerdns with MySQL backend.
We quite often change our internal zone and therefore simple SQL query or web Ui would be much better than editing of text files for each DNS server.

I've followed this guide http://www.howtoforge.com/installing-powerdns-with-mysql-backend-and-poweradmin-on-debian-squeeze on clean Debian 7 installation and afterwards imported our existing bind zone files using zone2sql. But after I did it, in my sandbox I cannot resolve any domain name.

What was done:

fresh installation of Debian 7 from netinst without extra packages installed
follow mentioned above guide with some alterations (no manual db setup since it is already managed by package post instructions and latest version of poweradmin from GitHub)
import existing bind records using zone2sql tool (from all zone files by pointing directly to named.conf). It went smooth without any error or warning. Then fed it to MySQL database created during installation.
found that poweradmin child process crashes at start and removed /etc/poweradmin/pdns.d/pdns.local.bindbackend as it was said that this blocks reading of pdns.local.gmysql config

After that I've tried resolving some of local domain names and some of public. For public it was returning no results, for local it was returning "no recursion allowed" for CNAME records and no results for A records. However with bind everything works fine. When I go to poweradmin list of zones I can only see records for our local zone and no any other information (means all other sections are completely empty), but for local zone I can see all records are intact point to right domain name in case of CNAME or to correct IP address in case of A record.

Now question is – what was done wrong or did I miss anything?

Best Answer

Fixed by installing pdns-recursor package and binding pdns to listen on external interface (e.g 192.168.1.x) and use recursor on internal interface (e.g. 127.0.0.1).

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

PowerDNS allow queries on a per domain basis

Currently this is not supported in PowerDNS.

There are several patches that will add this functionality but all have limitations. The most promising I have found is: PDNS ACLs

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

PowerDNS allow queries on a per domain basis

Related Topic