tube-sandbox-docs/pdns-server_notes.md

132 lines
4.7 KiB
Markdown

# installing and configuring PowerDNS for use as an authoritative server on a private network
## ubuntu 20.04 on raspberry pi 4 edition
## updated 2021-03-13 by sundog <sundog@reclaim.technology>
# overview
the goal of this exercise is to set up an authoritative domain name server that listens on a VPN interface and provides lookups for custom private domains to VPN clients. to accomplish this goal, I will be installing PowerDNS' authoritative server on a raspberry pi 4 running ubuntu 20.04 that was [previously configured as a wireguard VPN server](./wg-portal_notes.md).
# initial test network configuration
the server needs to listen on 10.42.1.1:53 and provide name resolution for hosts in the .sundogistan top-level domain. see the aforementioned wireguard server setup notes for more details about the VPN configuration; this document will be concentrating solely on the configuration of the DNS server.
# setting up prerequisites
## installing the powerdns authoritative server
as PowerDNS' debian/ubuntu repositories do not provide arm64 packages I will be using the ubuntu versions, currently at 4.2.1-1
```
sudo apt install -y pdns-server pdns-backend-sqlite3
```
## configuring pdns
the service won't start because the configuration isn't set up to use the backend, so we need to change that.
as root, edit `/etc/powerdns/pdns.d/` and add the following content:
```
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
local-address=10.42.1.1
```
then `sudo rm /etcpowerdns/pdns.d/bind.conf`
now we're ready to set up the sqlite database itself:
```
sudo apt install -y sqlite3 # oops, almost forgot
sudo sqlite3 /var/lib/powerdns/pdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
sudo chown -R pdns:pdns /var/lib/powerdns
sudo systemctl start pdns
```
if all goes well, running `sudo systemctl status pdns` should show an active running status.
let's query it:
```
sudo apt install -y net-tools
dig a www.example.com @10.42.1.1
```
hopefully you get back an answer with status: REFUSED because we haven't set up any zones yet, and definitely not the example.com zone, but if it responds then it's running!
my partially truncated output:
```
root@bbs:~# dig a www.example.com @10.42.1.1
; <<>> DiG 9.16.1-Ubuntu <<>> a www.example.com @10.42.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58344
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
```
at this point I could start using `pdnsutil` to create a zone and populate it with some records and such, but I'm in this for the long haul and I also am lazy and like web-based interfaces, so I'm going to proceed and set up [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin) which provides exactly that web-based interface I'm looking for.
# installing and configuring powerdns-admin
first we'll need a bunch more prereqs:
```
sudo apt install -y python3-dev libsasl2-dev libldap2-dev libssl-dev libxml2-dev libxslt1-dev libxmlsec1-dev libffi-dev pkg-config apt-transport-https virtualenv build-essential libmysqlclient-dev
# and nodejs too
curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update && sudo apt install -y nodejs yarn
```
now it's time to clone the repo and set some stuff up
might as well be root!
```
sudo -i
git clone https://github.com/ngoduykhanh/PowerDNS-Admin /opt/web/powerdns-admin
cd /opt/web/powerdns-admin
virtualenv -p python3 flask
source ./flask/bin/activate
pip install -r requirements
```
that should leave us ready to get it up and going
# running powerdns-admin
first we need to get some database stuff set up
```
cp ./powerdnsadmin/default_config.py ./powerdnsadmin/local_config.py
```
edit that new `local_config.py`
- switch up the salt and secret key
- set the bind address to the VPN interface address (in my examples 10.42.1.1)
- comment out the mysql database uri
- uncomment the sqlite databse uri
then save the file.
back at the root virtualenv shell:
```
# use our new config
export FLASK_CONF=local_config.py
# do the initial database migration
export FLASK_APP=powerdnsadmin/__init__.py
flask db upgrade
# generate web asset files
yarn install --pure-lockfile
flask assets build
```
at this point we should be able to `./run.py` and have the web application start at http://10.42.1.1:9191
there's a big **TODO** sitting right here to walk through the configuration of connecting the admin web app to the actual pdns server's api, but that will be in the next revision so I can get this committed. more soon.