Install a PowerDNS resolver on CentOS 7


There are two versions of PowerDNS:

Why run your own DNS?

You may want to run your own DNS resolver if you have a number of servers or a large network of computers;  if you find public DNS servers or those provided by your ISP too slow; or if you want to ensure your DNS is unfiltered and not tracked.

Why PowerDNS over BIND?

Much of the decision is down to user preference and experience, both are extremely capable.  I use PowerDNS as I prefer the mySQL rather than flat file back-end for authoritative use.  I also find it quicker and more predictable under heavy load.

Other users prefer lighter distributions such as MaraDNS – so it’s worth looking around to see what’s best for you.

PowerDNS resolver install guide

If you need a server to try this out on, we recommend our friends at Linode.

You’ll need to enable the EPEL repository.

You can now install the PowerDNS resolver

[user@server] sudo yum install pdns-recursor

We’ll need to make a couple of changes to the configuration before we start the server

[user@server] sudo nano /etc/pdns-recursor/recursor.conf

You’ll see a line called ‘allow-from’.
Remove the # symbol from before this line.
It’s important that you add IP addresses, or IP ranges here that you want to serve recursive DNS for.  By default will be listed to allow the local server to use its own service, it’s safe to leave that in place.

The second line to edit is ‘local-address=’
Again, remove the # from the beginning.
You then need to add a comma-separated list of IP addresses that you want this server to listen on.  This will usually just be and the main IP of your server.  eg:


Ctrl+O to save and Ctrl+X to exit.

You can now start your server.

[user@server] sudo service pdns-recursor start

To make sure that the DNS server starts on boot, you can use

[user@server] sudo chkconfig pdns-recursor on

You can check the server is responding using the dig command.

[user@server] dig @

If all is well, it would be advisable to set up a firewall at this point to only allow access from the IP addresses that will be using the server as an added precaution.  CSF works very well.

2 Comments. Leave new

  • Hello,

    I am not able to resolve form a remote host but works on the local server. Pls assist.

    dig @

    ; <> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <> @
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23101
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

    ; IN A

    ;; ANSWER SECTION: 299 IN A 299 IN A

    ;; Query time: 227 msec
    ;; SERVER:
    ;; WHEN: Wed Jan 31 10:12:43 EAT 2018
    ;; MSG SIZE rcvd: 60

    From remote host:
    nslookup 172.xx.xx..30
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.

    tcp 0 0* LISTEN 1429/pdns_recursor
    tcp 0 0 172.xx.xx.xx:53* LISTEN 1429/pdns_recursor
    udp 0 0* 1429/pdns_recursor
    udp 0 0 172.xx.xx.xx:53* 1429/pdns_recursor

    • Hi Dan,
      Two things to check.
      1) Is your 172. IP address between 172.16. and 172.31.? If so this is an internal only IP and not accessible from the internet.
      2) Do you have IPtables or Firewalld running? You may need to open up port 53.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.