tube-sandbox-docs/pdns-server_notes.md

# installing and configuring PowerDNS for use as an authoritative server on a private network
## ubuntu 20.04 on raspberry pi 4 edition
## updated 2021-03-13 by sundog <sundog@reclaim.technology>

# overview

the goal of this exercise is to set up an authoritative domain name server that listens on a VPN interface and provides lookups for custom private domains to VPN clients. to accomplish this goal, I will be installing PowerDNS' authoritative server on a raspberry pi 4 running ubuntu 20.04 that was [previously configured as a wireguard VPN server](./wg-portal_notes.md).

# initial test network configuration

the server needs to listen on 10.42.1.1:53 and provide name resolution for hosts in the .sundogistan top-level domain. see the aforementioned wireguard server setup notes for more details about the VPN configuration; this document will be concentrating solely on the configuration of the DNS server.

# setting up prerequisites
## installing the powerdns authoritative server

as PowerDNS' debian/ubuntu repositories do not provide arm64 packages I will be using the ubuntu versions, currently at 4.2.1-1

```
sudo apt install -y pdns-server pdns-backend-sqlite3

```

## configuring pdns
the service won't start because the configuration isn't set up to use the backend, so we need to change that.

as root, edit `/etc/powerdns/pdns.d/` and add the following content:

```
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
local-address=10.42.1.1
webserver=true
api=true
api-key=**addSomeUniquePreSharedAPIKeyForYourself**
```

then `sudo rm /etcpowerdns/pdns.d/bind.conf`

now we're ready to set up the sqlite database itself:

```
sudo apt install -y sqlite3     # oops, almost forgot
sudo sqlite3 /var/lib/powerdns/pdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
sudo chown -R pdns:pdns /var/lib/powerdns
sudo systemctl start pdns
```

if all goes well, running `sudo systemctl status pdns` should show an active running status.

let's query it:

```
sudo apt install -y net-tools
dig a www.example.com @10.42.1.1
```

hopefully you get back an answer with status: REFUSED because we haven't set up any zones yet, and definitely not the example.com zone, but if it responds then it's running!

my partially truncated output:

```
root@bbs:~# dig a www.example.com @10.42.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> a www.example.com @10.42.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58344
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

```

at this point I could start using `pdnsutil` to create a zone and populate it with some records and such, but I'm in this for the long haul and I also am lazy and like web-based interfaces, so I'm going to proceed and set up [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin) which provides exactly that web-based interface I'm looking for.

# installing and configuring powerdns-admin

first we'll need a bunch more prereqs:

```
sudo apt install -y python3-dev libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential libmysqlclient-dev
# and nodejs too
curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update && sudo apt install -y nodejs yarn
```

now it's time to clone the repo and set some stuff up
might as well be root!

```
sudo -i
git clone https://github.com/ngoduykhanh/PowerDNS-Admin /opt/web/powerdns-admin
cd /opt/web/powerdns-admin
virtualenv -p python3 flask
source ./flask/bin/activate
pip install -r requirements
```

that should leave us ready to get it up and going

# running powerdns-admin

first we need to get some database stuff set up

```
cp ./powerdnsadmin/default_config.py ./powerdnsadmin/local_config.py
```

edit that new `local_config.py`

- switch up the salt and secret key
- set the bind address to the VPN interface address (in my examples 10.42.1.1)
- comment out the mysql database uri
- uncomment the sqlite databse uri

then save the file.

back at the root virtualenv shell:

```
# use our new config
export FLASK_CONF=local_config.py
# do the initial database migration
export FLASK_APP=powerdnsadmin/__init__.py
flask db upgrade
# generate web asset files
yarn install --pure-lockfile
flask assets build
```

at this point we should be able to `./run.py` and have the web application start at http://10.42.1.1:9191 

~~there's a big **TODO** sitting right here to walk through the configuration of connecting the admin web app to the actual pdns server's api, but that will be in the next revision so I can get this committed.  more soon.~~

*note: I had to go back and revise the /etc/powerdns/pdns.d/gsqlite3.conf above to enable the webserver and api server in order to continue, so if you did this before the above todo was crossed out then double check that file's contents please.*

use the link to create an account, as the first account created will be the administrator.

once you've logged in, it will complain about needing some config

the api url should be `http://localhost:8081`
the api key is the same one you added in the pdns config file earlier.

go ahead and update the settings and voila, you are the proud operator of a web-administered authoritative DNS server for your VPN clients. congrats!