17
freebsd
powerdns
4
jail
Prev
Upgrading Nuxt to 3.12

Purpose

This article describes getting Power DNS 4.9.3 running inside a jail using Bastille 0.13, on FreeBSD 14.2-RELEASE. There are not many steps to getting the bare minimum service running, and it focuses on the nuances in the jail environment.

Why Power DNS

dnsmasq has been my favourite DNS service. In one simple file it manages DNS forwarding, domain name overwrites (how Pi-Hole works to block bad domains), and more.

Power DNS has features not available in dnsmasq; including dynamic DNS, API and CLI management, and more. You should understand what feature are key in your decision on the DNS.

STEP: Prepare your jail

There a a few ways to spin up jails, including the slightly more complex vnet setups. This article is only tested on the loopback config as documented in the Bastille site using the loopback (lo0) interface and a static IP. The same steps should work regardless of jail config.

Spinning up a jail instance is out of scope for this article.

STEP: Install and enable service

It is probably easier to console into the jail and install packages within:

pkg install -y powerdns

If installing from host:

sudo bastille pkg <jailname> install -y powerdns

Enable the service:

service pdns enable

STEP: Config service

Power DNS comes with an 'empty' config by default. There are default settings e.g. port. The folloing needs to be explicitly added in /usr/local/etc/pdns/pdns.conf:

# FILE: /usr/local/etc/pdns/pdns.conf
# Defaults to 0.0.0.0 which does not seem to work in the loopback config
# Replace with the jail IP
local-address=192.168.10.5

# Use the simplest database hosted within the jail
launch=gsqlite3
gsqlite3-database=/var/db/pdns/pdns.sqlite3

The sqlite db needs the schema set up:

mkdir -p /var/db/pdns
sqlite3 /var/db/pdns/pdns.sqlite3 < /usr/local/share/doc/powerdns/schema.sqlite3.sql
sudo chown -R pdns:pdns /var/db/pdns

Restart the service and test its response. Note that until a domain is configured, returning an empty response is expected.

service pdns restart
drill www.google.com @192.168.10.5

# Returns:
#;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 47397
#;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
#;; QUESTION SECTION:
#;; www.google.com.      IN      A
#
#;; ANSWER SECTION:
#
#;; AUTHORITY SECTION:
#
#;; ADDITIONAL SECTION:
#
#;; Query time: 0 msec
#;; SERVER: 10.0.25.5
#;; WHEN: Wed Feb 12 13:23:00 2025
#;; MSG SIZE  rcvd: 32

STEP: Config data

Almost there! Now that the service is running, create a domain it is authoritative for (modified from powerdns.com).

pdnsutil create-zone example.com ns1.example.com
# Creating empty zone 'example.com'
# Also adding one NS record

pdnsutil add-record example.com. www A 192.0.2.1
# New rrset:
# www.example.com. 3005 IN A 192.0.2.1

No need to restart service. Test the A record and expect the updated response!

STEP: Exposing to the network

This step is optional; required when the jail loopback config is used. The jail IP may be blocked by the firewall (pf), and the 'proper' way to expose it is via rdr:

# drill uses udp
sudo bastille rdr <jailname> udp 53 53

# optional for tcp lookups
sudo bastille rdr <jailname> tcp 53 53