Slave DNS with PowerDNS

PowerDNS (pdns) is an open-source authoritative DNS server that works as an alternative to the traditional BIND (named) DNS. At ClouDNS, you can configure Slave DNS as a combination with your PowerDNS Master server.

If you need such configuration, please follow the below steps:

Step 1. First, you will need to add a Slave/Backup DNS zone in ClouDNS. To do that, please go to your Dashboard page and click on the DNS zones [Add new] link, after that click on the Slave/Backup zone box, enter the domain name (without www or http://) and the Master Server's IP and click on "Add slave" button.

Step 2. You must click on the "Primary Settings" button, which is located on your Slave DNS zone's management page. You have to allow zone transfer (allow-transfer) and notify (also-notify) at your Master DNS server for ALL listed IP addresses.

Step 3. Now you need to edit the pdns.conf file which should be located at /etc/powerdns/pdns.conf directory of PowerDNS. You can check the following example:

disable-axfr=no

master=yes

allow-axfr-ips=185.136.96.77, 185.136.97.77, 185.136.98.77, 185.136.99.77, 109.201.133.61, 108.59.2.202, 79.137.84.65, 46.165.221.164, 2a06:fb00:1::1:77, 2a06:fb00:1::2:77, 2a06:fb00:1::3:77, 2a06:fb00:1::4:77, 2a00:1768:1001:9::21, 2604:9a00:2100:a006:4::1, 2001:41d0:401:3100::5784, 2a00:c98:2030:a006:2::1 also-notify=185.136.96.77, 185.136.97.77, 185.136.98.77, 185.136.99.77, 109.201.133.61, 108.59.2.202, 79.137.84.65, 46.165.221.164, 2a06:fb00:1::1:77, 2a06:fb00:1::2:77, 2a06:fb00:1::3:77, 2a06:fb00:1::4:77, 2a00:1768:1001:9::21, 2604:9a00:2100:a006:4::1, 2001:41d0:401:3100::5784, 2a00:c98:2030:a006:2::1

Please, note that the "disable-axfr" option must be always set to "no".

Step 4. After your configuration is completed, you must reload the pdns service by using the following command:

$ sudo service pdns restart

Step 5. In the end, you will need to force zone transfer and an SOA serial update. To do that, you must add/remove a test record in your Master zone. After that, please compare the SOA serials on your Master and Slave zone, if they match, then the zone transfer was successful. You must also make sure that the SOA serial at your Master is higher than the SOA serial here at your Slave.

These are all the steps, which you need to follow. If you have more questions you can always contact our Technical Support team.

DNSSEC

It is known that cPanel only supports DNSSEC with PowerDNS, so you can set up DNSSEC to sync with ClouDNS and PowerDNS without any issues. You only need to patch cPanel to disable NSEC3 Narrow Signing, which prevents PowerDNS to sync DNSSEC records to ClouDNS. If the Master zone is properly signed and configured, it will be successfully transferred with the DNSSEC keys. Of course, the regular requirements are still valid - the SOA serial number must always be higher when the zone is signed/resigned, for the transfer to be made.


Last modified: 2021-07-12
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more