Install a PowerDNS resolver on CentOS 7
There are two versions of PowerDNS:
- PowerDNS Server – used to power authoritative DNS servers
- PowerDNS recursor – used to provide a resolver, typically not open to the public
Why run your own DNS?
You may want to run your own DNS resolver if you have a number of servers or a large network of computers; if you find public DNS servers or those provided by your ISP too slow; or if you want to ensure your DNS is unfiltered and not tracked.
Why PowerDNS over BIND?
Much of the decision is down to user preference and experience, both are extremely capable. I use PowerDNS as I prefer the mySQL rather than flat file back-end for authoritative use. I also find it quicker and more predictable under heavy load.
Other users prefer lighter distributions such as MaraDNS – so it’s worth looking around to see what’s best for you.
PowerDNS resolver install guide
If you need a server to try this out on, we recommend our friends at Linode.
You’ll need to enable the EPEL repository.
You can now install the PowerDNS resolver
[user@server] sudo yum install pdns-recursor
We’ll need to make a couple of changes to the configuration before we start the server
[user@server] sudo nano /etc/pdns-recursor/recursor.conf
You’ll see a line called ‘allow-from’.
Remove the # symbol from before this line.
It’s important that you add IP addresses, or IP ranges here that you want to serve recursive DNS for. By default 127.0.0.0/8 will be listed to allow the local server to use its own service, it’s safe to leave that in place.
The second line to edit is ‘local-address=’
Again, remove the # from the beginning.
You then need to add a comma-separated list of IP addresses that you want this server to listen on. This will usually just be 127.0.0.1 and the main IP of your server. eg:
local-address=127.0.0.1, 10.0.0.123
Ctrl+O to save and Ctrl+X to exit.
You can now start your server.
[user@server] sudo service pdns-recursor start
To make sure that the DNS server starts on boot, you can use
[user@server] sudo chkconfig pdns-recursor on
You can check the server is responding using the dig command.
[user@server] dig @127.0.0.1 www.netweaver.uk
If all is well, it would be advisable to set up a firewall at this point to only allow access from the IP addresses that will be using the server as an added precaution. CSF works very well.
Recent Posts
Recent Comments
- Konrad on Add https to Pi-hole with caddy
- jolu on Add LetsEncrypt SSL certificate to Pi-hole
- Mike on Add https to Pi-hole with caddy
- Kamyar on Pi-hole vs AdGuard Home
- Kish on Pi-hole vs AdGuard Home
2 Comments. Leave new
Hello,
I am not able to resolve form a remote host but works on the local server. Pls assist.
dig @127.0.0.1 http://www.tt.com
; <> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <> @127.0.0.1 http://www.tt.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23101
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tt.com. IN A
;; ANSWER SECTION:
http://www.tt.com. 299 IN A 194.232.30.66
http://www.tt.com. 299 IN A 194.232.30.65
;; Query time: 227 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 31 10:12:43 EAT 2018
;; MSG SIZE rcvd: 60
From remote host:
nslookup tt.com 172.xx.xx..30
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1429/pdns_recursor
tcp 0 0 172.xx.xx.xx:53 0.0.0.0:* LISTEN 1429/pdns_recursor
udp 0 0 127.0.0.1:53 0.0.0.0:* 1429/pdns_recursor
udp 0 0 172.xx.xx.xx:53 0.0.0.0:* 1429/pdns_recursor
Hi Dan,
Two things to check.
1) Is your 172. IP address between 172.16. and 172.31.? If so this is an internal only IP and not accessible from the internet.
2) Do you have IPtables or Firewalld running? You may need to open up port 53.