Integration with PowerDNS module
Starting from version 2023.08.1, installation and configuration of the module is not supported. To integrate with the DNS server in the platform, use the Integration with DNSmanager 6 module.
If integration with PowerDNS was configured in the platform, the integration will continue to work until the Integration with DNSmanager 6 module is installed.
For some Internet services (e.g. sending email), in virtual machines (VMs) it is necessary to convert IP addresses into domain names. To perform this conversion, you need to configure VMmanager integration with the DNS server.
VMmanager supports integration with PowerDNS Authoritative Server. PowerDNS is a high-performance, free, open-source DNS server. Read more about PowerDNS in the official documentation.
After the integration, PTR records will be created on the DNS server, converting VM addresses into domain names.
The integration provides for the transfer of:
- PTR records;
- NS records, if additional name servers are specified in the module settings.
Transfer of other record types must be configured manually.
Matching of IP address and reverse domain name
To determine a domain name by IP address, the DNS server uses a PTR record of the reverse domain zone. To execute the request, the node address is converted to the reverse form. The translation method depends on the IP version.
IPv4
IPv4 address is written as four decimal numbers from 0 to 255, separated by dots. E.g., 192.168.0.1. To search for domain names by IPv4 addresses, the domain "in-addr.arpa." is used. The IP address is written in the domain name in reverse order. For example, the address 195.161.72.28 corresponds to the domain name "28.72.161.195.inaddr.arpa.".
IPv6
The IPv6 address is written as eight hexadecimal numbers from 0 to ffff, separated by colons. E.g., 3107:0c38:0a67:0000:0000:e446:3925:0091. To search for domain names by IPv6 addresses, the domain "ip6.arpa." is used. The IP address is written in the domain name in reverse order. For example, the address 3107:0c38:0a67:0000:0000:e446:3925:0091 corresponds to the domain name "1.9.0.0.5.2.9.3.6.4.4.e.0.0.0.0.0.0.0.7.6.a.0.8.3.c.0.7.0.1.3.ip6.arpa".
Configuring integration
Installing and configuring PowerDNS
- The examples are commands for AlmaLinux 8. For other operating systems the commands may be different.
- In the basic configuration PowerDNS uses BIND as backend. BIND does not support API write requests via HTTP, so it is not suitable for integration setup. The example describes changing the backend to Generic Mysql. Read more in the official PowerDNS documentation.
On a server for PowerDNS:
Add the epel-release repository:
dnf -y install epel-release
BASHInstall the software updates:
dnf -y update
BASHDisable the SELinux service:
setenforce 0
CODEsed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
CODEInstall MySQL:
dnf -y install mysql-server mysql
BASHsystemctl enable mysqld.service
BASHsystemctl start mysqld.service
BASHPerform the initial MySQL security setup:
mysql_secure_installation
BASHOpen the MySQL console:
mysql -u root -p
BASHCreate a database and a powernds account in the console:
CREATE DATABASE powerdns;
SQLCREATE USER 'powerdns' IDENTIFIED BY '<powernds_mysql_pass>';
SQLComments to the command<powernds_mysql_pass> — password to the powerdns account in MySQL
GRANT ALL PRIVILEGES ON powerdns.* TO 'powerdns';
SQLFLUSH PRIVILEGES;
SQLExit the console:
exit
SQL- Import the scheme for the data source:
Save the scheme from the PowerDNS documentation to /root/powerdns.sql.
Each version of PowerDNS has its own scheme.
Import the saved file into the database:
mysql -u powerdns -p powerdns < /root/powerdns.sql
BASH
If the systemd-resolved service is enabled, stop and disable it:
systemctl disable systemd-resolved.service
BASHsystemctl stop systemd-resolved.service
BASHsystemctl mask systemd-resolved.service
BASHInstall PowerDNS:
dnf -y install pdns pdns-backend-mysql bind-utils
BASHsystemctl enable pdns.service
BASHsystemctl start pdns.service
BASHCreate the configuration file /etc/pdns/pdns.conf:
Configuration for primary DNS
api=yes api-key=<pdns_api_key> webserver=yes webserver-port=<pdns_port> webserver-address=0.0.0.0 webserver-allow-from=0.0.0.0/0 launch=gmysql gmysql-host=127.0.0.1 gmysql-user=powerdns gmysql-password=<powernds_mysql_pass> gmysql-dbname=powerdns primary=yes allow-axfr-ips=<transfer_zone_allow>
CODEConfiguration for secondary DNS
api=yes api-key=<pdns_api_key> webserver=yes webserver-port=<pdns_port> webserver-address=0.0.0.0 webserver-allow-from=0.0.0.0/0 launch=gmysql gmysql-host=127.0.0.1 gmysql-user=powerdns gmysql-password=<powernds_mysql_pass> gmysql-dbname=powerdns secondary=yes
CODEComments<pdns_api_key> — PowerDNS API access key. Minimum length — 6 characters
<pdns_port> — port of access to the built-in PowerDNS web server
<powernds_mysql_pass> — password to the powerdns account in MySQL
<transfer_zone_allow> — IP addresses of DNS servers that are allowed to request a domain zone transfer
Open the DNS and PowerDNS web server ports in the firewall:
firewall-cmd --permanent --zone=public --add-port=<pdns_port>/tcp
BASHComments to the command<pdns_port> — port of access to the built-in PowerDNS web server
firewall-cmd --permanent --zone=public --add-service=dns
BASHfirewall-cmd --reload
BASHIf PowerDNS is used as a secondary DNS:
Add domain zones:
pdnsutil create-secondary-zone <zone> <primary_dns>
BASHComments to the command<zone> — domain zone
<primary_dns> — IP address of the primary DNS server
Open the MySQL console:
mysql -u root -p
SQLAdd a record to the database with the settings of the main server:
INSERT INTO supermasters VALUES ('<primary_IP>', '<primary_domain>', 'powerdns') ;
CODEComments to the command<primary_IP> — IP address of the primary DNS server
<primary_domain> — domain name of the primary DNS server
Exit the console:
exit
SQLIn the /etc/pdns/pdns.conf file, set autosecondary to yes:
autosecondary=yes
CODE
Restart PowerDNS:
systemctl restart pdns.service
BASH
Configuration VMmanager
Starting from version 2023.08.1, configuration is only possible via the platform API.
Send data to VMmanager to connect to PowerDNS API:
curl -d '{"type":"powerdns", "params":{"address":"<pdns_ip>:<pdns_port>", "password":"<pdns_api_key>"}, "nameservers":["<ns1>","<ns2>"]}' -H "x-xsrf-token: <token>" -H "Host: instance-1" https://<vmmgr_ip>/dnsproxy/v3/settings/dns
CODEWhere<pdns_ip>:<pdns_port> — IP address and PowerDNS port
<pdns_api_key> — PowerDNS API access key
<token> — authorization token. Read more in API guide
<vmmgr_ip> — IP address or domain name of the server with VMmanager
<ns1>,<ns2> — IP addresses or domain names of NS
If you get the message "Instance is starting now" in response, repeat the command.
Enable the dnsproxy service on the server with VMmanager. This service performs integration with external DNS servers.
curl -X POST -H "x-xsrf-token: <token>" https://<vmmgr_ip>/ip/v3/plugin/dnsproxy/enable
CODEWhere<token> — authorization token
<vmmgr_ip> — IP address or domain name of the server with VMmanager
Start data synchronization with dnsproxy. After that, dnsproxy service will transfer PTR records to PowerDNS:
curl -X POST -H "x-xsrf-token: <token>" https://<vmmgr_ip>/ip/v3/ip/dnsproxy/sync
CODEWhere<token> — authorization token
<vmmgr_ip> — IP address or domain name of the server with VMmanager
Checking settings
Check that ip6.arpa. and inaddr.arpa. DNS zones are added to PowerDNS:
curl -v -H 'X-API-Key: <pdns_api_key>' http://<pdns_ip>:<pdns_port>/api/v1/servers/localhost/zones
CODEWhere<pdns_api_key> — PowerDNS API access key
<pdns_ip>:<pdns_port> — IP address and PowerDNS port
If the zones are added successfully, the response should contain information about their settings:
An example of response[{ "account": "", "dnssec": false, "id": "ip6.arpa.", "kind": "Master", "last_check": 0, "masters": [], "name": "ip6.arpa.", "notified_serial": 0, "serial": 2020032801, "url": "/api/v1/servers/localhost/zones/ip6.arpa." }, { "account": "", "dnssec": false, "id": "in-addr.arpa.", "kind": "Master", "last_check": 0, "masters": [], "name": "in-addr.arpa.", "notified_serial": 0, "serial": 2020032812, "url": "/api/v1/servers/localhost/zones/in-addr.arpa." }]
CODECheck the creation of DNS records in ip6.arpa. and inaddr.arpa.:
curl -v -H 'X-API-Key: <pdns_api_key>' http://<pdns_ip>:<pdns_port>/api/v1/servers/localhost/zones/in-addr.arpa.
CODEcurl -v -H 'X-API-Key: <pdns_api_key>' http://<pdns_ip>:<pdns_port>/api/v1/servers/localhost/zones/ip6.arpa.
CODEWhere<pdns_api_key> — PowerDNS API access key
<pdns_ip>:<pdns_port> — IP address and PowerDNS port
The response must contain PTR records for the VMs’ IP addresses.
An example of response for the inaddr.arpa zone{ "account": "", "api_rectify": false, "dnssec": false, "id": "in-addr.arpa.", "kind": "Master", "last_check": 0, "masters": [], "name": "in-addr.arpa.", "notified_serial": 0, "nsec3narrow": false, "nsec3param": "", "rrsets": [ { "comments": [], "name": "14.250.31.172.in-addr.arpa.", "records": [ { "content": "sunshine-ametrine.example.com.", "disabled": false } ], "ttl": 3600, "type": "PTR" }, { "comments": [], "name": "0.250.31.172.in-addr.arpa.", "records": [ { "content": "subnet.reserved.example.com.", "disabled": false } ], "ttl": 3600, "type": "PTR" }, ... ], "serial": 2020032717, "soa_edit": "", "soa_edit_api": "DEFAULT", "url": "/api/v1/servers/localhost/zones/in-addr.arpa." }
CODECheck operation of PowerDNS:
dig -x <IP> @<pdns_ip> +short
CODEWhere<IP> — IP address of the VM
<pdns_ip> — IP address of PowerDNS
The response must contain information about the PTR record for the requested IP address.
Diagnostics
VMmanager integration with PowerDNS is performed by the dnsproxy service. You can check the operation of dnsproxy service via the /var/log/dns_proxy_service_1_writer.log file in the vm_dns_proxy_1 docker container on the server with VMmanager.
To check the DNS zone settings in VMmanager, run the command on the server with VMmanager:
docker exec -it mysql bash -c "mysql isp -p\$MYSQL_ROOT_PASSWORD -e 'select * from dns_proxy_zone;' "
An example of response
*************************** 1. row ***************************
id: 1
status: ok
status_info: null
name: in-addr.arpa
*************************** 2. row ***************************
id: 2
status: ok
status_info: null
name: ip6.arpa
2 rows in set (0.00 sec)
status_info — DNS record status info. The "null" message means that the zone has been added successfully.
To check the DNS records settings in VMmanager, run the command on the server with VMmanager:
docker exec -it mysql bash -c "mysql isp -p\$MYSQL_ROOT_PASSWORD -e 'select * from dns_proxy_record;' "
An example of the command output:
An example of response
*************************** 1. row ***************************
id: 1
status: ok
status_info: null
zone: 1
name: 172.31.255.254
content: gateway.reserved.example.com
type: ptr
*************************** 2. row ***************************
id: 2
status: ok
status_info: null
zone: 1
name: 172.31.240.0
content: subnet.reserved.example.com
type: ptr
status_info — DNS record status info. The "null" message means that the record has been added successfully.
If you have problems configuring the integration:
Disable the dnsproxy service:
curl -X POST -H "x-xsrf-token: <token>" https://<vmmgr_ip>/ip/v3/plugin/dnsproxy/disable
CODEWhere<token> — authorization token
<vmmgr_ip> — IP address or domain name of the server with VMmanager
Delete the contents of dns_proxy_record and dns_proxy_zone tables:
docker exec -it mysql bash -c "mysql isp -p\$MYSQL_ROOT_PASSWORD -e 'delete from dns_proxy_record; delete from dns_proxy_zone;' "
CODE- Reconfigure the integration.