PowerDNS Deployment Guide

Key Features

Native DNSSEC support with automatic signing
RESTful API for zone management
Multiple backends (MySQL, PostgreSQL, SQLite)
High-performance packet and query caching

Prerequisites

Before starting, ensure you have:

Server Requirements

• RamNode VPS with Ubuntu 24.04 LTS
• Minimum 1GB RAM, 1 vCPU
• Root or sudo access
• Static public IP address

Recommended Specs

Use Case	RAM	Storage
< 100 zones	1 GB	20 GB
100-1000 zones	2 GB	40 GB
1000+ zones	4+ GB	80+ GB

System Preparation

Update System Packages

Update and Reboot

sudo apt update && sudo apt upgrade -y
sudo reboot

Disable systemd-resolved

Ubuntu uses systemd-resolved for DNS resolution, which binds to port 53 and conflicts with PowerDNS:

Disable systemd-resolved

sudo systemctl disable --now systemd-resolved
sudo rm /etc/resolv.conf

Configure Static DNS Resolution

Create resolv.conf

sudo tee /etc/resolv.conf << EOF
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

Prevent resolv.conf Modification

Make immutable

sudo chattr +i /etc/resolv.conf

MariaDB Installation

Install MariaDB Server

Install MariaDB

sudo apt install mariadb-server mariadb-client -y

Secure MariaDB Installation

Run Security Script

sudo mysql_secure_installation

Set a strong root password, remove anonymous users, disallow remote root login, and remove the test database.

Create PowerDNS Database and User

Connect to MariaDB

sudo mysql -u root -p

Create Database and User

CREATE DATABASE pdns;
CREATE USER 'pdns'@'localhost' IDENTIFIED BY 'YOUR_SECURE_PASSWORD';
GRANT ALL PRIVILEGES ON pdns.* TO 'pdns'@'localhost';
FLUSH PRIVILEGES;
EXIT;

⚠️ Important: Replace YOUR_SECURE_PASSWORD with a strong, randomly generated password. Store this securely.

PowerDNS Installation

Install from Ubuntu Repository

Install PowerDNS

sudo apt install pdns-server pdns-backend-mysql -y

Alternative: Install from PowerDNS Repository

For the latest version, add the official PowerDNS repository:

Add PowerDNS Repository

# Add PowerDNS GPG key
curl -fsSL https://repo.powerdns.com/FD380FBB-pub.asc | \
  sudo gpg --dearmor -o /etc/apt/keyrings/powerdns.gpg

# Add repository
echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/powerdns.gpg] \
  http://repo.powerdns.com/ubuntu noble-auth-49 main' | \
  sudo tee /etc/apt/sources.list.d/pdns.list

# Set package priority
sudo tee /etc/apt/preferences.d/pdns << EOF
Package: pdns-*
Pin: origin repo.powerdns.com
Pin-Priority: 600
EOF

sudo apt update
sudo apt install pdns-server pdns-backend-mysql -y

PowerDNS Configuration

Backup Default Configuration

Backup Config

sudo cp /etc/powerdns/pdns.conf /etc/powerdns/pdns.conf.backup

Configure MySQL Backend

Create /etc/powerdns/pdns.d/mysql.conf

sudo tee /etc/powerdns/pdns.d/mysql.conf << EOF
# MySQL/MariaDB Backend Configuration
launch+=gmysql

gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=pdns
gmysql-password=YOUR_SECURE_PASSWORD
gmysql-dnssec=yes
EOF

Set Secure Permissions

Secure Config File

sudo chmod 640 /etc/powerdns/pdns.d/mysql.conf
sudo chown root:pdns /etc/powerdns/pdns.d/mysql.conf

Main Configuration File

Edit /etc/powerdns/pdns.conf with these key settings:

/etc/powerdns/pdns.conf (key settings)

# Network settings
local-address=0.0.0.0
local-port=53

# Security settings
setuid=pdns
setgid=pdns

# Performance tuning
cache-ttl=60
query-cache-ttl=20

# Logging
log-dns-queries=no
log-dns-details=no
loglevel=4

Database Schema Setup

Import PowerDNS Schema

Download and Import Schema

curl -o /tmp/schema.sql \
  https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gmysqlbackend/schema.mysql.sql

mysql -u pdns -p pdns < /tmp/schema.sql

Verify Schema Installation

Check Tables

mysql -u pdns -p -e 'SHOW TABLES;' pdns

Expected tables: domains, records, supermasters, comments, domainmetadata, cryptokeys, tsigkeys

Start and Enable PowerDNS

Enable and Start Service

sudo systemctl enable pdns
sudo systemctl start pdns
sudo systemctl status pdns

Verify Installation

Test Database Connection

sudo systemctl stop pdns
sudo pdns_server --daemon=no --guardian=no --loglevel=9

Look for 'gmysql Connection successful' messages. Press Ctrl+C to stop, then restart the service.

Restart Service

sudo systemctl start pdns

API Configuration

PowerDNS includes a built-in REST API for programmatic zone management. Enable it for integration with management tools like PowerDNS-Admin.

Generate API Key

Generate Random API Key

openssl rand -base64 32

Save this key securely. You will need it for API authentication.

Enable API in Configuration

Add the following to /etc/powerdns/pdns.conf:

API Configuration

# API and Webserver Configuration
api=yes
api-key=YOUR_GENERATED_API_KEY
webserver=yes
webserver-address=127.0.0.1
webserver-port=8081
webserver-allow-from=127.0.0.1,::1
webserver-password=YOUR_WEBSERVER_PASSWORD

Restart PowerDNS

Restart Service

sudo systemctl restart pdns

Test API Access

Test API

curl -H 'X-API-Key: YOUR_API_KEY' \
  http://127.0.0.1:8081/api/v1/servers/localhost | jq .

Security Hardening

Firewall Configuration (UFW)

Configure UFW

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp comment 'SSH'
sudo ufw allow 53/tcp comment 'DNS TCP'
sudo ufw allow 53/udp comment 'DNS UDP'
sudo ufw enable

Alternative: iptables

Configure iptables

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo netfilter-persistent save

Security Best Practices

Run PowerDNS as non-root user (setuid/setgid already configured)
Restrict API access to localhost only
Use strong, unique passwords for database and API
Enable DNSSEC for all zones
Monitor logs for suspicious activity

Disable Zone Transfers

Unless required for secondary servers, disable AXFR:

Zone Transfer Settings (pdns.conf)

# In pdns.conf
disable-axfr=yes
# Or restrict to specific IPs
allow-axfr-ips=192.168.1.0/24,10.0.0.5

DNSSEC Configuration

PowerDNS provides native DNSSEC support with automatic online signing, eliminating the need for external signing tools.

Create a Zone

Create Zone

sudo pdnsutil create-zone example.com ns1.example.com

Add DNS Records

Add Records

sudo pdnsutil add-record example.com @ A 300 YOUR_SERVER_IP
sudo pdnsutil add-record example.com @ NS 86400 ns1.example.com
sudo pdnsutil add-record example.com ns1 A 86400 YOUR_SERVER_IP
sudo pdnsutil add-record example.com www A 300 YOUR_SERVER_IP

Enable DNSSEC for Zone

Secure the zone with DNSSEC (generates ECDSA P-256 key by default):

Enable DNSSEC

sudo pdnsutil secure-zone example.com
sudo pdnsutil rectify-zone example.com

View DS Records

Show Zone Info

sudo pdnsutil show-zone example.com

Submit the DS record to your domain registrar to complete the DNSSEC chain of trust.

DNSSEC Key Management Commands

pdnsutil list-keys example.com - List keys
pdnsutil show-zone example.com - Show zone info
pdnsutil export-zone-ds example.com - Export DS
pdnsutil unset-presigned example.com - Unsecure zone

Testing and Verification

Check Service Status

Verify Service

sudo systemctl status pdns
sudo ss -tlnp | grep pdns

Test DNS Resolution

Test Queries

dig @127.0.0.1 example.com A
dig @127.0.0.1 example.com NS
dig @127.0.0.1 example.com SOA

Verify DNSSEC

Test DNSSEC

dig @127.0.0.1 example.com DNSKEY +dnssec
dig @127.0.0.1 example.com A +dnssec

Check PowerDNS Statistics

View Statistics

sudo pdns_control show

External Testing

Test from External

dig @YOUR_SERVER_IP example.com A

# Use online tools like dnsviz.net for DNSSEC validation

Troubleshooting

Common Issues

Port 53 Already in Use

Check Port Usage

sudo ss -tlnp | grep :53
# Ensure systemd-resolved is disabled
sudo systemctl status systemd-resolved

Database Connection Failed

Verify Credentials

# Verify credentials
mysql -u pdns -p pdns -e 'SELECT 1;'
# Check configuration file permissions
ls -la /etc/powerdns/pdns.d/

Service Won't Start

Debug Service

# Check logs
sudo journalctl -u pdns -n 50
# Test configuration
sudo pdns_server --daemon=no --guardian=no --loglevel=9

Useful Commands

journalctl -u pdns -f - View logs
pdnsutil list-all-zones - Check config
pdns_control show - Statistics
pdns_control purge - Clear cache
pdns_control reload - Reload zones

Log Locations

Log Type	Location/Command
PowerDNS service logs	journalctl -u pdns
System logs	/var/log/syslog
MariaDB logs	/var/log/mysql/error.log

Deployment Complete!

Your PowerDNS authoritative server is now deployed with MariaDB backend and DNSSEC support. This enterprise-grade setup is ideal for hosting providers requiring scalable DNS infrastructure.

More Deployment Guides View Cloud VPS Plans

Deploying PowerDNS on RamNode VPS

Key Features

Prerequisites

Server Requirements

Recommended Specs

System Preparation

Update System Packages

Disable systemd-resolved

Configure Static DNS Resolution

Prevent resolv.conf Modification

MariaDB Installation

Install MariaDB Server

Secure MariaDB Installation

Create PowerDNS Database and User

PowerDNS Installation

Install from Ubuntu Repository

Alternative: Install from PowerDNS Repository

PowerDNS Configuration

Backup Default Configuration

Configure MySQL Backend

Set Secure Permissions

Main Configuration File

Database Schema Setup

Import PowerDNS Schema

Verify Schema Installation

Start and Enable PowerDNS

Verify Installation

API Configuration

Generate API Key

Enable API in Configuration

Restart PowerDNS

Test API Access

Security Hardening

Firewall Configuration (UFW)

Alternative: iptables

Security Best Practices

Disable Zone Transfers

DNSSEC Configuration

Create a Zone

Add DNS Records

Enable DNSSEC for Zone

View DS Records

DNSSEC Key Management Commands

Testing and Verification

Check Service Status

Test DNS Resolution

Verify DNSSEC

Check PowerDNS Statistics

External Testing

Troubleshooting

Common Issues

Useful Commands

Log Locations

Deployment Complete!