From 7014e8f7add83e2adceb0354f81fb1ac809b332c Mon Sep 17 00:00:00 2001 From: Sundog Date: Sat, 13 Mar 2021 15:45:04 -0800 Subject: [PATCH] added initial walkthrough for setting up authoritative dns server --- pdns-server_notes.md | 131 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 pdns-server_notes.md diff --git a/pdns-server_notes.md b/pdns-server_notes.md new file mode 100644 index 0000000..08f99ba --- /dev/null +++ b/pdns-server_notes.md @@ -0,0 +1,131 @@ +# installing and configuring PowerDNS for use as an authoritative server on a private network +## ubuntu 20.04 on raspberry pi 4 edition +## updated 2021-03-13 by sundog + +# overview + +the goal of this exercise is to set up an authoritative domain name server that listens on a VPN interface and provides lookups for custom private domains to VPN clients. to accomplish this goal, I will be installing PowerDNS' authoritative server on a raspberry pi 4 running ubuntu 20.04 that was [previously configured as a wireguard VPN server](./wg-portal_notes.md). + +# initial test network configuration + +the server needs to listen on 10.42.1.1:53 and provide name resolution for hosts in the .sundogistan top-level domain. see the aforementioned wireguard server setup notes for more details about the VPN configuration; this document will be concentrating solely on the configuration of the DNS server. + +# setting up prerequisites +## installing the powerdns authoritative server + +as PowerDNS' debian/ubuntu repositories do not provide arm64 packages I will be using the ubuntu versions, currently at 4.2.1-1 + +``` +sudo apt install -y pdns-server pdns-backend-sqlite3 + +``` + +## configuring pdns +the service won't start because the configuration isn't set up to use the backend, so we need to change that. + +as root, edit `/etc/powerdns/pdns.d/` and add the following content: + +``` +launch=gsqlite3 +gsqlite3-database=/var/lib/powerdns/pdns.sqlite3 +local-address=10.42.1.1 +``` + +then `sudo rm /etcpowerdns/pdns.d/bind.conf` + +now we're ready to set up the sqlite database itself: + +``` +sudo apt install -y sqlite3 # oops, almost forgot +sudo sqlite3 /var/lib/powerdns/pdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql +sudo chown -R pdns:pdns /var/lib/powerdns +sudo systemctl start pdns +``` + +if all goes well, running `sudo systemctl status pdns` should show an active running status. + +let's query it: + +``` +sudo apt install -y net-tools +dig a www.example.com @10.42.1.1 +``` + +hopefully you get back an answer with status: REFUSED because we haven't set up any zones yet, and definitely not the example.com zone, but if it responds then it's running! + +my partially truncated output: + +``` +root@bbs:~# dig a www.example.com @10.42.1.1 + +; <<>> DiG 9.16.1-Ubuntu <<>> a www.example.com @10.42.1.1 +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58344 +;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 +;; WARNING: recursion requested but not available + +``` + +at this point I could start using `pdnsutil` to create a zone and populate it with some records and such, but I'm in this for the long haul and I also am lazy and like web-based interfaces, so I'm going to proceed and set up [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin) which provides exactly that web-based interface I'm looking for. + +# installing and configuring powerdns-admin + +first we'll need a bunch more prereqs: + +``` +sudo apt install -y python3-dev libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential libmysqlclient-dev +# and nodejs too +curl -sL https://deb.nodesource.com/setup_10.x | sudo bash - +curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - +echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list +sudo apt update && sudo apt install -y nodejs yarn +``` + +now it's time to clone the repo and set some stuff up +might as well be root! + +``` +sudo -i +git clone https://github.com/ngoduykhanh/PowerDNS-Admin /opt/web/powerdns-admin +cd /opt/web/powerdns-admin +virtualenv -p python3 flask +source ./flask/bin/activate +pip install -r requirements +``` + +that should leave us ready to get it up and going + +# running powerdns-admin + +first we need to get some database stuff set up + +``` +cp ./powerdnsadmin/default_config.py ./powerdnsadmin/local_config.py +``` + +edit that new `local_config.py` + +- switch up the salt and secret key +- set the bind address to the VPN interface address (in my examples 10.42.1.1) +- comment out the mysql database uri +- uncomment the sqlite databse uri + +then save the file. + +back at the root virtualenv shell: + +``` +# use our new config +export FLASK_CONF=local_config.py +# do the initial database migration +export FLASK_APP=powerdnsadmin/__init__.py +flask db upgrade +# generate web asset files +yarn install --pure-lockfile +flask assets build +``` + +at this point we should be able to `./run.py` and have the web application start at http://10.42.1.1:9191 + +there's a big **TODO** sitting right here to walk through the configuration of connecting the admin web app to the actual pdns server's api, but that will be in the next revision so I can get this committed. more soon.