132 lines
4.7 KiB
Markdown
132 lines
4.7 KiB
Markdown
# installing and configuring PowerDNS for use as an authoritative server on a private network
|
|
## ubuntu 20.04 on raspberry pi 4 edition
|
|
## updated 2021-03-13 by sundog <sundog@reclaim.technology>
|
|
|
|
# overview
|
|
|
|
the goal of this exercise is to set up an authoritative domain name server that listens on a VPN interface and provides lookups for custom private domains to VPN clients. to accomplish this goal, I will be installing PowerDNS' authoritative server on a raspberry pi 4 running ubuntu 20.04 that was [previously configured as a wireguard VPN server](./wg-portal_notes.md).
|
|
|
|
# initial test network configuration
|
|
|
|
the server needs to listen on 10.42.1.1:53 and provide name resolution for hosts in the .sundogistan top-level domain. see the aforementioned wireguard server setup notes for more details about the VPN configuration; this document will be concentrating solely on the configuration of the DNS server.
|
|
|
|
# setting up prerequisites
|
|
## installing the powerdns authoritative server
|
|
|
|
as PowerDNS' debian/ubuntu repositories do not provide arm64 packages I will be using the ubuntu versions, currently at 4.2.1-1
|
|
|
|
```
|
|
sudo apt install -y pdns-server pdns-backend-sqlite3
|
|
|
|
```
|
|
|
|
## configuring pdns
|
|
the service won't start because the configuration isn't set up to use the backend, so we need to change that.
|
|
|
|
as root, edit `/etc/powerdns/pdns.d/` and add the following content:
|
|
|
|
```
|
|
launch=gsqlite3
|
|
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
|
local-address=10.42.1.1
|
|
```
|
|
|
|
then `sudo rm /etcpowerdns/pdns.d/bind.conf`
|
|
|
|
now we're ready to set up the sqlite database itself:
|
|
|
|
```
|
|
sudo apt install -y sqlite3 # oops, almost forgot
|
|
sudo sqlite3 /var/lib/powerdns/pdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
|
sudo chown -R pdns:pdns /var/lib/powerdns
|
|
sudo systemctl start pdns
|
|
```
|
|
|
|
if all goes well, running `sudo systemctl status pdns` should show an active running status.
|
|
|
|
let's query it:
|
|
|
|
```
|
|
sudo apt install -y net-tools
|
|
dig a www.example.com @10.42.1.1
|
|
```
|
|
|
|
hopefully you get back an answer with status: REFUSED because we haven't set up any zones yet, and definitely not the example.com zone, but if it responds then it's running!
|
|
|
|
my partially truncated output:
|
|
|
|
```
|
|
root@bbs:~# dig a www.example.com @10.42.1.1
|
|
|
|
; <<>> DiG 9.16.1-Ubuntu <<>> a www.example.com @10.42.1.1
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58344
|
|
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
|
|
;; WARNING: recursion requested but not available
|
|
|
|
```
|
|
|
|
at this point I could start using `pdnsutil` to create a zone and populate it with some records and such, but I'm in this for the long haul and I also am lazy and like web-based interfaces, so I'm going to proceed and set up [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin) which provides exactly that web-based interface I'm looking for.
|
|
|
|
# installing and configuring powerdns-admin
|
|
|
|
first we'll need a bunch more prereqs:
|
|
|
|
```
|
|
sudo apt install -y python3-dev libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential libmysqlclient-dev
|
|
# and nodejs too
|
|
curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
|
|
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
|
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
|
|
sudo apt update && sudo apt install -y nodejs yarn
|
|
```
|
|
|
|
now it's time to clone the repo and set some stuff up
|
|
might as well be root!
|
|
|
|
```
|
|
sudo -i
|
|
git clone https://github.com/ngoduykhanh/PowerDNS-Admin /opt/web/powerdns-admin
|
|
cd /opt/web/powerdns-admin
|
|
virtualenv -p python3 flask
|
|
source ./flask/bin/activate
|
|
pip install -r requirements
|
|
```
|
|
|
|
that should leave us ready to get it up and going
|
|
|
|
# running powerdns-admin
|
|
|
|
first we need to get some database stuff set up
|
|
|
|
```
|
|
cp ./powerdnsadmin/default_config.py ./powerdnsadmin/local_config.py
|
|
```
|
|
|
|
edit that new `local_config.py`
|
|
|
|
- switch up the salt and secret key
|
|
- set the bind address to the VPN interface address (in my examples 10.42.1.1)
|
|
- comment out the mysql database uri
|
|
- uncomment the sqlite databse uri
|
|
|
|
then save the file.
|
|
|
|
back at the root virtualenv shell:
|
|
|
|
```
|
|
# use our new config
|
|
export FLASK_CONF=local_config.py
|
|
# do the initial database migration
|
|
export FLASK_APP=powerdnsadmin/__init__.py
|
|
flask db upgrade
|
|
# generate web asset files
|
|
yarn install --pure-lockfile
|
|
flask assets build
|
|
```
|
|
|
|
at this point we should be able to `./run.py` and have the web application start at http://10.42.1.1:9191
|
|
|
|
there's a big **TODO** sitting right here to walk through the configuration of connecting the admin web app to the actual pdns server's api, but that will be in the next revision so I can get this committed. more soon.
|