Using PowerDNS (pdns) with an LDAP Backend
Initial Configuration
Install the PowerDNS LDAP Backend
Install the package with:
# apt-get install pdns-backend-ldap
and answer the prompts as follows:
- IP Address where PowerDNS should listen - can be left blank if you only have one network address, but if you have multiple IP addresses (e.g. from two network cards, or PPP + a NIC) you should enter the IP that should be used for responding to DNS queries.
- Subnets allowed to recurse - is the semicolon delimited list of networks for which PowerDNS will query other DNS servers for names it does not recognize (useful if you have a local domain but also want to access internet domain names).
Do you want to start the PowerDNS server automatically - normally will be Yes.
Edit /etc/powerdns/pdns.conf
Make sure the following entries are set properly (leaving the rest as configured by the install process):
allow-recursion-override=on launch=ldap lazy-recursion=yes local-address=numbered.ip.of.dns-server recursor=127.0.0.1
Edit /etc/powerdns/pdns.d/pdns.local
It should look like:
ldap-host=numeric.ip.of.ldap-server ldap-basedn=ou=dns,dc=your,dc=domain ldap-method=strict
Where ldap-basedn is the BaseDN for DNS entries (most likely a subtree rather than based on the LDAP root).
Edit /etc/powerdns/recursor.conf
It should have the following entries in addition to the defaults:
local-address=127.0.0.1 quiet=yes
Add the following entries to slapd.conf
index aRecord pres,eq index associatedDomain pres,eq,sub
Update the LDAP indices
Make sure the indexes are updated by doing (as root):
# /etc/init.d/slapd stop # slapindex # /etc/init.d/slapd start
Add some DNS entries
See also: the #PowerDNS_LDAP_Backend_LDIF_Format section below
The following could be added using
# ldapadd -x -W -D "cn=admin,dc=your,dc=domain" -f filename
The file should contain some data similar to this:
# create fictive organisational unit dns dn: ou=dns,dc=example,dc=com objectclass: organizationalUnit ou: dns dn: dc=example,ou=dns,dc=example,dc=com objectclass: dnsdomain objectclass: domainrelatedobject dc: example soarecord: host1.example.com hostmaster@mail.example.com 0 1800 3600 604800 84600 nsrecord: host1.example.com mxrecord: 10 mail.example.com associateddomain: example.com # Simple record (host1.example.com has address 192.168.1.2) dn: dc=host1,dc=example,ou=dns,dc=example,dc=com objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: host1 arecord: 192.168.1.2 associateddomain: host1.example.com # Other names for host1.example.com dn: dc=host1-aliases,dc=example,ou=dns,dc=example,dc=com objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: host1-aliases cnamerecord: host1.example.com associateddomain: mail.example.com associateddomain: dns.example.com associateddomain: dhcp.example.com associateddomain: wins.example.com associateddomain: smtp.example.com associateddomain: ldap.example.com # Simple record: host2.example.com dn: dc=host2,dc=example,ou=dns,dc=example,dc=com objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: host2 arecord: 192.168.1.3 associateddomain: host2.example.com
Restart powerdns
# /etc/init.d/pdns-recursor restart # /etc/init.d/pdns restart
PowerDNS LDAP Backend LDIF Format
This configuration assumes that reverse lookups are derived from the standard host entries rather than being in a separate tree. See the pdns-server manual.
SOA Record
The SOA record defines the nameserver root.
The soarecord attribute expects the fields primary hostmaster serial refresh retry expire default_ttl, in this order.
Besides the primary and the hostmaster, all fields are numerical. PDNS has a set of default values:
SOA fields |
|
primary |
default-soa-name configuration option |
hostmaster |
hostmaster@domain-name |
serial |
0 |
refresh |
10800 (3 hours) |
retry |
3600 (1 hour) |
expire |
604800 (1 week) |
default_ttl |
3600 (1 hour) |
The fields have complicated and sometimes controversial meanings. The serial field is special. If left at 0 (the default), PDNS will perform an internal list of the domain to determine highest change_date field of all records within the zone, and use that as the zone serial number. This means that the serial number is always raised when changes are made to the zone, as long as the change_date field is being set.
dn: dc=example,ou=dns,dc=EXAMPLE,dc=org objectClass: dnsDomain objectClass: domainrelatedobject dc: example soarecord: main.example.com hostmaster@mail.EXAMPLE.org 0 1800 3600 604800 84600 nsrecord: georges.EXAMPLE.org mxrecord: 10 winnifred.EXAMPLE.org associateddomain: EXAMPLE.org
Host Record
dn: dc=roger,dc=example,ou=dns,dc=EXAMPLE,dc=org objectclass: top objectclass: dnsdomain objectclass domainrelatedobject dc: roger arecord: 192.168.1.2 associateddomain: roger.EXAMPLE.org
Alias (CNAME/PTR) Record
# Other names for roger.EXAMPLE.org dn: dc=roger-aliases,dc=EXAMPLE,ou=dns,dc=EXAMPLE,dc=org objectclass: top objectclass: dnsdomain objectclass: domainrelatedobject dc: roger-aliases cnamerecord: roger.EXAMPLE.org associateddomain: time.EXAMPLE.org associateddomain: mail.EXAMPLE.org associateddomain: winnifred.EXAMPLE.org associateddomain: news.EXAMPLE.org
SRV Record
SRV Records are commonly used to tell clients which servers provide a certain service (in this example an XMPP server)
You will need the dnsdomain2.schema here to use this entry. The schema should be included in the Debian package.
The sRVRecord attribute expects the fields <WEIGHT> <PRIORITY> <PORT> <TARGET>, in this order.
dn: dc=srv-records,dc=EXAMPLE,ou=dns,dc=EXAMPLE,dc=org objectClass: dNSDomain objectClass: dNSDomain2 objectClass: domain objectClass: domainRelatedObject objectClass: top associatedDomain: _jabber._tcp.EXAMPLE.com dc: srv-records sRVRecord: 5 0 5269 jabber.example.com
CategorySoftware | CategoryNetwork | CategorySystemAdministration