{"id":10995,"date":"2021-11-26T22:26:33","date_gmt":"2021-11-26T19:26:33","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10995"},"modified":"2024-03-18T08:05:13","modified_gmt":"2024-03-18T05:05:13","slug":"easily-install-and-setup-powerdns-on-debian-11-debian-10","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/easily-install-and-setup-powerdns-on-debian-11-debian-10\/","title":{"rendered":"Easily Install and Setup PowerDNS on Debian 11\/Debian 10"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"584\" height=\"328\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/bind-dns.png\" alt=\"\" class=\"wp-image-9314\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/bind-dns.png 584w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/bind-dns-150x84.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/bind-dns-300x168.png 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><\/figure><\/div>\n\n\n<p>This tutorial is about how to easily install and setup PowerDNS on Debian 11\/Debian 10. PowerDNS \u201c<em>is a premier supplier of open source DNS software, services and support<\/em>\u201c. It provides both the Authoritative Server and the Recursor DNS products. <\/p>\n\n\n\n<p>According to&nbsp;<a href=\"https:\/\/doc.powerdns.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerDNS documentation page<\/a>;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\" target=\"_blank\" rel=\"noreferrer noopener\">Authoritative Server<\/a>&nbsp;will answer questions about domains it knows about, but will not go out on the net to resolve queries about other domains. When the Authoritative Server answers a question, it comes out of the database, and can be trusted as being authoritative. There is no way to pollute the cache or to confuse the daemon.<\/li>\n\n\n\n<li>The&nbsp;<a href=\"https:\/\/doc.powerdns.com\/recursor\" target=\"_blank\" rel=\"noreferrer noopener\">Recursor<\/a>, conversely, by default has no knowledge of domains itself, but will always consult other authoritative servers to answer questions given to it.<\/li>\n<\/ul>\n\n\n\n<p>PowerDNS;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>offers very high domain resolution performance.<\/li>\n\n\n\n<li>supports a large number of different backends ranging from simple zonefiles to relational databases and load balancing\/failover algorithms.<\/li>\n\n\n\n<li>offers better security features.<\/li>\n\n\n\n<li>its source code is reasonably small which makes auditing easy.<\/li>\n\n\n\n<li>it give a lot of statistics on its operation which is both helpful in determining the scalability of an installation as well as for spotting problems.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-power-dns-on-debian\">Installing PowerDNS on Debian<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-power-dns-relational-database\">Install PowerDNS Relational Database<\/a><\/li><li><a href=\"#setup-power-dns-on-debian-11-debian-10\">Setup PowerDNS on Debian 11\/Debian 10<\/a><ul><li><a href=\"#disable-systemd-resolved-service\">Disable systemd-resolved\u00a0service<\/a><\/li><li><a href=\"#create-power-dns-database-on-debian-11-debian-10\">Create PowerDNS Database on Debian 11\/Debian 10<\/a><\/li><li><a href=\"#import-power-dns-database-schema\">Import PowerDNS Database Schema<\/a><\/li><li><a href=\"#configure-power-dns-database-connection-details\">Configure PowerDNS Database Connection Details<\/a><\/li><li><a href=\"#verify-power-dns-database-connection\">Verify PowerDNS database connection<\/a><\/li><li><a href=\"#restart-power-dns\">Restart PowerDNS<\/a><\/li><\/ul><\/li><li><a href=\"#creating-power-dns-forward-zone-records\">Creating PowerDNS Forward Zone Records<\/a><ul><li><a href=\"#inserting-forward-zone-dns-records-into-power-dns-database\">Inserting Forward Zone DNS Records into PowerDNS Database<\/a><\/li><li><a href=\"#create-nameserver-ns-records\">Create Nameserver NS records<\/a><\/li><li><a href=\"#insert-a-records-for-the-nameserver\">Insert A Records for the Nameserver.<\/a><\/li><li><a href=\"#insert-mx-records\">Insert MX records<\/a><\/li><li><a href=\"#verify-power-dns-forward-resolution\">Verify PowerDNS Forward Resolution<\/a><\/li><\/ul><\/li><li><a href=\"#creating-power-dns-reverse-zone-records\">Creating PowerDNS Reverse Zone Records<\/a><ul><li><a href=\"#insert-ns-reverse-zone-record\">Insert NS Reverse Zone Record<\/a><\/li><li><a href=\"#insert-ptr-records-for-ns\">Insert PTR Records for NS<\/a><\/li><li><a href=\"#insert-other-domains-ptr-records\">Insert Other Domains PTR Records<\/a><\/li><li><a href=\"#verify-power-dns-reverse-resolution\">Verify PowerDNS Reverse Resolution<\/a><\/li><\/ul><\/li><li><a href=\"#open-dns-port-on-ufw\">Open DNS Port on UFW<\/a><\/li><li><a href=\"#configure-dns-server-on-client-systems\">Configure DNS Server on Client Systems<\/a><ul><li><a href=\"#verify-client-forward-dns-resolution\">Verify Client Forward DNS Resolution<\/a><\/li><li><a href=\"#verify-client-reverse-dns-resolution\">Verify Client Reverse DNS Resolution<\/a><\/li><\/ul><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-power-dns-on-debian\">Installing PowerDNS on Debian<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>To begin with, update your system package cache.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-power-dns-relational-database\">Install PowerDNS Relational Database<\/h3>\n\n\n\n<p>As stated above, the authoritative PowerDNS server supports different backends ranging from database backends such as MySQL,&nbsp;PostgreSQL,&nbsp;Oracle and&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\/backends\/bind.html\" target=\"_blank\" rel=\"noreferrer noopener\">BIND zone files<\/a>&nbsp;to&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\/backends\/pipe.html\" target=\"_blank\" rel=\"noreferrer noopener\">co-processes<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\/backends\/remote.html\" target=\"_blank\" rel=\"noreferrer noopener\">JSON API\u2019s<\/a>.<\/p>\n\n\n\n<p>In this tutorial, will use one of the relational databases, specifically, MariaDB.<\/p>\n\n\n\n<p>Hence, to install the latest and stable release version of MariaDB, execute the commands below<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install software-properties-common gnupg2 -y<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO- https:\/\/mariadb.org\/mariadb_release_signing_key.asc | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/mariadb_release_signing_key.gpg<\/code><\/pre>\n\n\n\n<p>Next, head over to&nbsp;<a href=\"https:\/\/downloads.mariadb.org\/mariadb\/repositories\/#mirror=liquidtelecom\" target=\"_blank\" rel=\"noreferrer noopener\">MariaDB repositories site<\/a>&nbsp;and choose your installation mirrors. In this setup, we use the&nbsp;<strong>ukfast.co.uk mirrors<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb &#91;arch=amd64,arm64,ppc64el] http:\/\/mirrors.ukfast.co.uk\/sites\/mariadb\/repo\/10.6\/debian $(lsb_release -sc) main\" &gt; \/etc\/apt\/sources.list.d\/mariadb.list<\/code><\/pre>\n\n\n\n<p>Update the system package cache and install MariaDB 10.6 on Debian 11\/Debian 10;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install mariadb-server -y<\/code><\/pre>\n\n\n\n<p>Once the installation is done, run the initial MySQL security script to remove anonymous users and test databases, disallow remote root login.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql_secure_installation<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-power-dns-on-debian-11-debian-10\">Setup PowerDNS on Debian 11\/Debian 10<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"disable-systemd-resolved-service\">Disable <code><strong>systemd-resolved<\/strong><\/code>&nbsp;service<\/h4>\n\n\n\n<p><code><strong>systemd-resolved<\/strong><\/code>&nbsp;service <em>provides network name resolution to local applications<\/em>. We want to use PowerDNS instead<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl disable --now systemd-resolved<\/code><\/pre>\n\n\n\n<p>Update <code><strong>resolv.conf<\/strong><\/code> file with custom DNS server details to enable you do the installation.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"nameserver 8.8.8.8\" &gt; \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n<p>Next, install PowerDNS on Debian 11\/Debian 10. PowerDNS is provided by the&nbsp;<strong><code>pdns-server<\/code><\/strong>&nbsp;package.<\/p>\n\n\n\n<p>To ensure that you install the <a href=\"https:\/\/doc.powerdns.com\/authoritative\/changelog\/\" target=\"_blank\" rel=\"noreferrer noopener\">latest release<\/a>, you need to install PowerDNS repositories.<\/p>\n\n\n\n<p>PowerDNS 4.5 is the current stable release as of this writing. Hence the repos below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb &#91;arch=amd64] http:\/\/repo.powerdns.com\/debian $(lsb_release -sc)-auth-45 main\" &gt; \/etc\/apt\/sources.list.d\/pdns.list<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; \/etc\/apt\/preferences.d\/pdns &lt;&lt; EOL\nPackage: pdns-*\nPin: origin repo.powerdns.com\nPin-Priority: 600\nEOL<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO- https:\/\/repo.powerdns.com\/FD380FBB-pub.asc | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/pdns.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install pdns-server<\/code><\/pre>\n\n\n\n<p>You also need to install PowerDNS MySQL backend;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install pdns-backend-mysql<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-power-dns-database-on-debian-11-debian-10\"><a href=\"#create-pdns-database\">Create PowerDNS Database on Debian 11\/Debian 10<\/a><\/h4>\n\n\n\n<p>Now that PowerDNS and its MySQL backend packages are installed, login to MariaDB and create a database for PowerDNS nameserver.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql -u root<\/code><\/pre>\n\n\n\n<p>Be sure to use your preferred database names and database usernames. Names used here are not standard.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>create database kifarunixdemopdns;<\/code><\/pre>\n\n\n\n<p>Create a PowerDNS database user and grant all privileges on the PowerDNS database. Replace the password accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grant all on kifarunixdemopdns.* to pdnsadmin@localhost identified by 'PdnSPassW0rd';<\/code><\/pre>\n\n\n\n<p>Reload the privileges tables and exit the database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>flush privileges;\nquit<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"import-power-dns-database-schema\">Import PowerDNS Database Schema<\/h4>\n\n\n\n<p>The default PowerDNS database schema is available under&nbsp;<code><strong>\/usr\/share\/pdns-backend-mysql\/schema\/<\/strong><\/code>&nbsp;directory as&nbsp;<code><strong>schema.mysql.sql<\/strong><\/code>. You need to import this schema to the PowerDNS database created above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql -u pdnsadmin -p kifarunixdemopdns &lt; \/usr\/share\/pdns-backend-mysql\/schema\/schema.mysql.sql<\/code><\/pre>\n\n\n\n<p>To verify the PowerDNS database schema import, try to list available tables;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysqlshow kifarunixdemopdns<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Database: kifarunixdemopdns\n+----------------+\n|     Tables     |\n+----------------+\n| comments       |\n| cryptokeys     |\n| domainmetadata |\n| domains        |\n| records        |\n| supermasters   |\n| tsigkeys       |\n+----------------+\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-power-dns-database-connection-details\">Configure PowerDNS Database Connection Details<\/h4>\n\n\n\n<p>Create a configuration file to define the PowerDNS database connection details. Replace the specifics accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/powerdns\/pdns.d\/pdns.local.gmysql.conf << 'EOL'\n# MySQL Configuration\n#\n# Launch gmysql backend\nlaunch+=gmysql\n\n# gmysql parameters\ngmysql-host=127.0.0.1\ngmysql-port=3306\ngmysql-dbname=kifarunixdemopdns\ngmysql-user=pdnsadmin\ngmysql-password=PdnSPassW0rd\ngmysql-dnssec=yes\n# gmysql-socket=\nEOL\n<\/code><\/pre>\n\n\n\n<p>Adjust the permissions of the database connection details.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown pdns: \/etc\/powerdns\/pdns.d\/pdns.local.gmysql.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 640 \/etc\/powerdns\/pdns.d\/pdns.local.gmysql.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-power-dns-database-connection\">Verify PowerDNS database connection<\/h4>\n\n\n\n<p>If PowerDNS is already running, stop it and run it in the foreground to verify if it can connect to the database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl stop pdns.service<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pdns_server --daemon=no --guardian=no --loglevel=9<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Nov 25 20:50:49 Loading '\/usr\/lib\/x86_64-linux-gnu\/pdns\/libbindbackend.so'\nNov 25 20:50:49 [bind2backend] This is the bind backend version 4.5.2 (Nov  9 2021 22:40:46) (with bind-dnssec-db support) reporting\nNov 25 20:50:49 Loading '\/usr\/lib\/x86_64-linux-gnu\/pdns\/libgmysqlbackend.so'\nNov 25 20:50:50 [gmysqlbackend] This is the gmysql backend version 4.5.2 (Nov  9 2021 22:40:46) reporting\nNov 25 20:50:50 This is a standalone pdns\nNov 25 20:50:50 Created local state directory '\/var\/run\/pdns\/'\nNov 25 20:50:50 Listening on controlsocket in '\/var\/run\/pdns\/pdns.controlsocket'\nNov 25 20:50:50 [bindbackend] Parsing 0 domain(s), will report when done\nNov 25 20:50:50 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed\nNov 25 20:50:50 gmysql Connection successful. Connected to database 'kifarunixdemopdns' on '127.0.0.1'.\nNov 25 20:50:50 UDP server bound to 0.0.0.0:53\nNov 25 20:50:50 UDP server bound to [::]:53\nNov 25 20:50:50 TCP server bound to 0.0.0.0:53\nNov 25 20:50:50 TCP server bound to [::]:53\nNov 25 20:50:50 PowerDNS Authoritative Server 4.5.2 (C) 2001-2021 PowerDNS.COM BV\nNov 25 20:50:50 Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov  9 2021 22:40:46 by root@80a4278afe39.\nNov 25 20:50:50 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.\nNov 25 20:50:50 [stub-resolver] Doing stub resolving for 'auth-4.5.2.security-status.secpoll.powerdns.com.|TXT', using resolvers: 8.8.8.8\nNov 25 20:50:50 [stub-resolver] Question for 'auth-4.5.2.security-status.secpoll.powerdns.com.|TXT' got answered by 8.8.8.8\nNov 25 20:50:50 Polled security status of version 4.5.2 at startup, no known issues reported: OK\nNov 25 20:50:50 Creating backend connection for TCP\nNov 25 20:50:50 gmysql Connection successful. Connected to database 'kifarunixdemopdns' on '127.0.0.1'.\nNov 25 20:50:50 About to create 3 backend threads for UDP\nNov 25 20:50:50 gmysql Connection successful. Connected to database 'kifarunixdemopdns' on '127.0.0.1'.\nNov 25 20:50:50 gmysql Connection successful. Connected to database 'kifarunixdemopdns' on '127.0.0.1'.\nNov 25 20:50:50 gmysql Connection successful. Connected to database 'kifarunixdemopdns' on '127.0.0.1'.\nNov 25 20:50:50 Done launching threads, ready to distribute questions\n<\/code><\/pre>\n\n\n\n<p>If you encounter any error, please fix it before you can proceed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"restart-power-dns\">Restart PowerDNS<\/h4>\n\n\n\n<p>Press Ctrl+C to stop PDNS running in the background.<\/p>\n\n\n\n<p>Restart PowerDNS to apply the changes made.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart pdns<\/code><\/pre>\n\n\n\n<p>Verify the DNS port UDP\/TCP port 53 are opened<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -alnp4 | grep pdns<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>udp   UNCONN 0      0            0.0.0.0:53        0.0.0.0:*    users:((\"pdns_server\",pid=9986,fd=5))                   \ntcp   LISTEN 0      128          0.0.0.0:53        0.0.0.0:*    users:((\"pdns_server\",pid=9986,fd=7))<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"creating-power-dns-forward-zone-records\">Creating PowerDNS Forward Zone Records<\/h3>\n\n\n\n<p>As much as you can create zones by manipulating the database directly, it is recommended to use <code><strong>pdnsutil<\/strong><\/code> tool instead.<\/p>\n\n\n\n<p>Hence, to start with create Forward Zone;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil create-zone kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>There are various&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\/modes-of-operation.html\" target=\"_blank\" rel=\"noreferrer noopener\">PowerDNS operation modes<\/a>. Native operation mode is the default mode for PowerDNS. You can list by running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil list-all-zones native<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"inserting-forward-zone-dns-records-into-power-dns-database\">Inserting Forward Zone DNS Records into PowerDNS Database<\/h4>\n\n\n\n<p>Use the command below to add records;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record ZONE NAME TYPE &#91;ttl] content<\/code><\/pre>\n\n\n\n<p>When you create a zone, SOA (Start Of Authority) record is inserted automatically.<\/p>\n\n\n\n<p>You can show the details by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil list-zone kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Sample Output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Nov 25 22:59:40 &#91;bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed\n$ORIGIN .\nkifarunix-demo.com\t3600\tIN\tSOA\ta.misconfigured.dns.server.invalid hostmaster.kifarunix-demo.com 0 10800 3600 604800 3600<\/code><\/pre>\n\n\n\n<p>The SOA stored format is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>primary hostmaster serial refresh retry expire default_ttl<\/strong><\/code><\/pre>\n\n\n\n<p>Where:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>primary:&nbsp;<a href=\"https:\/\/doc.powerdns.com\/authoritative\/settings.html#setting-default-soa-name\" target=\"_blank\" rel=\"noreferrer noopener\">default-soa-name<\/a>&nbsp;configuration option<\/li>\n\n\n\n<li>hostmaster:&nbsp;<code>hostmaster@domain-name<\/code><\/li>\n\n\n\n<li>serial: 0<\/li>\n\n\n\n<li>refresh: 10800 (3 hours)<\/li>\n\n\n\n<li>retry: 3600 (1 hour)<\/li>\n\n\n\n<li>expire: 604800 (1 week)<\/li>\n\n\n\n<li>default_ttl: 3600 (1 hour)<\/li>\n<\/ul>\n\n\n\n<p>Update the SOA to accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>export EDITOR=vim<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil edit-zone kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>We will only update the <a href=\"https:\/\/doc.powerdns.com\/authoritative\/settings.html#default-soa-content\" target=\"_blank\" rel=\"noreferrer noopener\">default-soa-content<\/a> name and hostmaster such that it may look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>; Warning - every name in this file is ABSOLUTE!\n$ORIGIN .\nkifarunix-demo.com      3600    IN      SOA     ns1.kifarunix-demo.com admin.kifarunix-demo.com 0 10800 3600 604800 3600<\/code><\/pre>\n\n\n\n<p>Save and exit the file and apply the changes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>[Error] No NS record at zone apex in zone 'kifarunix-demo.com'\nChecked 1 records of 'kifarunix-demo.com', 1 errors, 0 warnings.\nThere was a problem with your zone\nOptions are: (e)dit your changes, (r)etry with original zone, (a)pply change anyhow, (q)uit: \na\nDetected the following changes:\n-kifarunix-demo.com 3600 IN SOA a.misconfigured.dns.server.invalid hostmaster.kifarunix-demo.com 0 10800 3600 604800 3600\n+kifarunix-demo.com 3600 IN SOA ns1.kifarunix-demo.com admin.kifarunix-demo.com 0 10800 3600 604800 3600\n\n(a)pply these changes, (e)dit again, (r)etry with original zone, (q)uit: a\nAdding empty non-terminals for non-DNSSEC zone 'kifarunix-demo.com', 1 updates\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-nameserver-ns-records\">Create Nameserver NS records<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record kifarunix-demo.com @ NS 86400 ns1.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"insert-a-records-for-the-nameserver\">Insert A Records for the Nameserver.<\/h4>\n\n\n\n<p>Replace the IPs accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record kifarunix-demo.com ns1 A 120 192.168.58.22<\/code><\/pre>\n\n\n\n<p>Insert other systems A records;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record kifarunix-demo.com news A 120 192.168.59.12<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record kifarunix-demo.com mail A 120 192.168.57.25<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"insert-mx-records\">Insert MX records<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record kifarunix-demo.com @ MX 120 \"10 mail.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n<p>So far so good, that is enough for our demo and this is how our records look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil list-zone kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Nov 25 16:08:18 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed\n$ORIGIN .\nkifarunix-demo.com\t120\tIN\tMX\t10 mail.kifarunix-demo.com.\nkifarunix-demo.com\t86400\tIN\tNS\tns1.kifarunix-demo.com.\nkifarunix-demo.com\t3600\tIN\tSOA\tns1.kifarunix-demo.com admin.kifarunix-demo.com 0 10800 3600 604800 3600\nnews.kifarunix-demo.com\t120\tIN\tA\t192.168.59.12\nns1.kifarunix-demo.com\t120\tIN\tA\t192.168.58.22\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-power-dns-forward-resolution\">Verify PowerDNS Forward Resolution<\/h4>\n\n\n\n<p>Once the records are populated into the DB, very the PowerDNS resolution;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install dnsutils -y<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dig ns1.kifarunix-demo.com @127.0.0.1<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> ns1.kifarunix-demo.com @127.0.0.1\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63327\n;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n;; QUESTION SECTION:\n;ns1.kifarunix-demo.com.\t\tIN\tA\n\n;; ANSWER SECTION:\nns1.kifarunix-demo.com.\t120\tIN\tA\t192.168.58.22\n\n;; Query time: 2 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Thu Nov 25 16:09:03 EST 2021\n;; MSG SIZE  rcvd: 67\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dig MX kifarunix-demo.com @127.0.0.1<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> MX kifarunix-demo.com @127.0.0.1\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5092\n;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n;; QUESTION SECTION:\n;kifarunix-demo.com.\t\tIN\tMX\n\n;; ANSWER SECTION:\nkifarunix-demo.com.\t120\tIN\tMX\t10 mail.kifarunix-demo.com.\n\n;; Query time: 1 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Thu Nov 25 16:09:27 EST 2021\n;; MSG SIZE  rcvd: 68\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"creating-power-dns-reverse-zone-records\">Creating PowerDNS Reverse Zone Records<\/h3>\n\n\n\n<p>Create reverse zone;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil create-zone 58.168.192.in-addr.arpa<\/code><\/pre>\n\n\n\n<p>Update reverse zone SOA;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil list-zone 58.168.192.in-addr.arpa<\/code><\/pre>\n\n\n\n<p>Note, if you have multiple networks like <strong>192.168.58.x\/x<\/strong>, <strong>192.168.59.x\/x<\/strong>, <strong>192.168.57.x\/x<\/strong>, then you can just create a reverse zone like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil create-zone 168.192.in-addr.arpa<\/code><\/pre>\n\n\n\n<p>Update the name and hostmaster such that they may look like a shown below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil edit-zone 168.192.in-addr.arpa<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Nov 26 13:46:09 &#91;bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed\n$ORIGIN .\n168.192.in-addr.arpa\t3600\tIN\tSOA\tns1.kifarunix-demo.com admin.kifarunix.demo.com 0 10800 3600 604800 3600<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"insert-ns-reverse-zone-record\">Insert NS Reverse Zone Record<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record 168.192.in-addr.arpa @ NS 86400 ns1.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"insert-ptr-records-for-ns\">Insert PTR Records for NS<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record 168.192.in-addr.arpa 22.58 PTR 120 ns1.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"insert-other-domains-ptr-records\">Insert Other Domains PTR Records<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record 168.192.in-addr.arpa 12.59 PTR 120 news.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil add-record 168.192.in-addr.arpa 25.57 PTR 120 mail.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Now the general reverse records look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pdnsutil list-zone 168.192.in-addr.arpa<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Nov 26 13:56:58 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed\n$ORIGIN .\n12.59.168.192.in-addr.arpa\t120\tIN\tPTR\tnews.kifarunix-demo.com\n168.192.in-addr.arpa\t86400\tIN\tNS\tns1.kifarunix-demo.com.\n168.192.in-addr.arpa\t3600\tIN\tSOA\tns1.kifarunix-demo.com admin.kifarunix.demo.com 0 10800 3600 604800 3600\n22.58.168.192.in-addr.arpa\t120\tIN\tPTR\tns1.kifarunix-demo.com\n25.57.168.192.in-addr.arpa\t120\tIN\tPTR\tmail.kifarunix-demo.com\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-power-dns-reverse-resolution\">Verify PowerDNS Reverse Resolution<\/h4>\n\n\n\n<p>Exit the database and run the reverse DNS queries to confirm if all is well.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig -x 192.168.58.22 @127.0.0.1<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> -x 192.168.58.22 @127.0.0.1\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15391\n;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n;; QUESTION SECTION:\n;22.58.168.192.in-addr.arpa.\tIN\tPTR\n\n;; ANSWER SECTION:\n22.58.168.192.in-addr.arpa. 120\tIN\tPTR\tns1.kifarunix-demo.com.\n\n;; Query time: 0 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Fri Nov 26 13:58:15 EST 2021\n;; MSG SIZE  rcvd: 91\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dig -x 192.168.57.25 @127.0.0.1<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> -x 192.168.57.25 @127.0.0.1\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10942\n;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n;; QUESTION SECTION:\n;25.57.168.192.in-addr.arpa.\tIN\tPTR\n\n;; ANSWER SECTION:\n25.57.168.192.in-addr.arpa. 120\tIN\tPTR\tmail.kifarunix-demo.com.\n\n;; Query time: 1 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Fri Nov 26 14:00:30 EST 2021\n;; MSG SIZE  rcvd: 92\n<\/code><\/pre>\n\n\n\n<p>Magnificent!!!<\/p>\n\n\n\n<p>Note that all this can be easily done from the web but, that is tutorial for another day.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"open-dns-port-on-ufw\">Open DNS Port on UFW<\/h3>\n\n\n\n<p>For the remote hosts to be able to use the PowerDNS for their name resolution, you need to open the DNS port 53\/UDP;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from 192.168.0.0\/16 to any port 53 proto udp<\/code><\/pre>\n\n\n\n<p>This allows DNS queries from 192.168.0.0\/16 subnet.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-dns-server-on-client-systems\">Configure DNS Server on Client Systems<\/h3>\n\n\n\n<p>For testing purposes, overwrite your&nbsp;<strong><code>\/etc\/resolv.conf<\/code><\/strong>&nbsp;file with PowerDNS nameserver entry.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"nameserver 192.168.58.22\" &gt; \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-client-forward-dns-resolution\">Verify Client Forward DNS Resolution<\/h4>\n\n\n\n<p>Next, perform DNS resolution using any DNS utilities.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig news.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.16.22-Debian <<>> news.kifarunix-demo.com\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27385\n;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n;; QUESTION SECTION:\n;news.kifarunix-demo.com.\tIN\tA\n\n;; ANSWER SECTION:\nnews.kifarunix-demo.com. 120\tIN\tA\t192.168.59.12\n\n;; Query time: 4 msec\n;; SERVER: 192.168.58.22#53(192.168.58.22)\n;; WHEN: Fri Nov 26 00:39:56 EAT 2021\n;; MSG SIZE  rcvd: 68\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-client-reverse-dns-resolution\">Verify Client Reverse DNS Resolution<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>dig -x 192.168.58.22 +short<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ns1.kifarunix-demo.com.<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>nslookup 192.168.58.22<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>22.58.168.192.in-addr.arpa\tname = ns1.kifarunix-demo.com.<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>host 192.168.58.22<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>22.58.168.192.in-addr.arpa domain name pointer ns1.kifarunix-demo.com.<\/code><\/pre>\n\n\n\n<p>For now, that is how simple it is to install and confugure PowerDNS on Debian.<\/p>\n\n\n\n<p>Learn how to manage PowerDNS using a web tool called PowerDNS Admin by following the link below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easily-install-powerdns-admin-on-debian-11-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easily Install PowerDNS Admin on Debian 11\/Debian 10<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openvpn-clients-to-use-specific-dns-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenVPN Clients to use specific DNS Server<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-bind-dns-server-using-webmin-on-debian-11\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure BIND DNS Server using Webmin on Debian 11<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-bind-dns-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup BIND DNS server on Rocky Linux 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial is about how to easily install and setup PowerDNS on Debian 11\/Debian 10. PowerDNS \u201cis a premier supplier of open source DNS software,<\/p>\n","protected":false},"author":1,"featured_media":9314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,971,972],"tags":[1039,3958,4303,4304,4305,4307,4306,4308,974],"class_list":["post-10995","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-dns","category-powerdns","tag-debian-10-buster","tag-debian-11","tag-easily-install-and-setup-powerdns-on-debian-11-debian-10","tag-install-powerdns-on-debian-10","tag-install-powerdns-on-debian-11","tag-pdnsutil-add-ns-record","tag-pdnsutil-add-record-mx","tag-pdnsutil-create-zone","tag-powerdns","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10995"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10995"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10995\/revisions"}],"predecessor-version":[{"id":21603,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10995\/revisions\/21603"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9314"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}