PowerDNS to Resolve DNS Queries not in its Database
I honestly find it hard to believe that I cannot seem to find anything about this on the Internet.
I love cPanel. And I just couldn"t resist choosing it over ISPconfig. Please note that this is my first time setting up a DNS server, however, I know how DNS works and I"m familiar with BIND. I also have an NGINX reverse proxy server proxying and providing SSL via Certbot and Let"s Encrypt for about 5 servers including our UniFi Cloud Controller. Furthermore, I also have a LibreNMS and phpIPAM server running NGINX and PHP-FPM.
The reason for a cPanel server is to primarily migrate all our web servers to a single server, as I feel it"s a waste of resources to run multiple Linux servers with each running their own instance of NGINX. It"s just too much unnecessary OS and application overhead.
With that being said, my first challenge is getting DNS to work using PowerDNS. I have created the .local domain, and A records resolve successfully, however, I can"t use cPanel as a primary name server, as no other DNS queries will resolve (for e.g. google.com). Correct me if I"m wrong, but this is recursive DNS, correct? And from what I can gather by going through the PowerDNS documentation, is that it does support it. So how do I get it to work on cPanel"s PowerDNS?
P.S. I can get this to work when I switch to BIND and make a few changes in its config file (recursion is now disabled by default), however, the switch caused an issue where one of my zones wouldn"t resolve anymore, so I reinstalled and I"m giving PowerDNS one last try before giving up on it.
-
Hello, What (if any) changes have you already made in the pdns.conf? We do use a bind backend for pdns and the configuration really shouldn't be much different as far a functionality goes. Otherwise please provide examples of what specifically you've configured/changed thus far as well as what's in the resolv.conf 0 -
Hello, What (if any) changes have you already made in the pdns.conf? We do use a bind backend for pdns and the configuration really shouldn't be much different as far a functionality goes. Otherwise please provide examples of what specifically you've configured/changed thus far as well as what's in the resolv.conf
Hi Lauren, Thank you very much for your reply and for your assistance. I have not made any changes to pdns.conf. Scouring the documentation and forms I did indeed discover that cPanel still uses BIND as a backend for PowerDNS, so the changes I made to named.conf are as follows:recursion yes; allow-query { 10.0.0.0/8; }; listen-on { IP.private; };
This works when I use BIND, but not when I use PowerDNS. In fact, if I add theallow-query
andlisten-on
options, PowerDNS completely fails to start. As for my resolv.conf file, it looks like this:# Generated by NetworkManager nameserver 1.1.1.1 nameserver 1.0.0.1
Of course, NetworkManager is disabled. Thanks again for your time Lauren, and I look forward to your reply.0 -
Hello, I'm sorry for the delay in response to you. It looks like this might be a bit more complicated but it appears to be doable? I'm not 100% sure on setting this up as customizations but I do believe the pdns configuration can be modified accordingly. Pdns uses authoritative instead of recursion and that's explained in the first link. 0 -
@reginald.novacloud It's prob. not obvious, but PDNS is not like bind. With bind it's both an authoritative and resolving/recursive DNS. The PDNS that cPanel installs is only the authoritative part. The resolving/recursive part of PDNS is an entirely different program that has to be installed: Welcome to PowerDNS. If you do want to install it, it's in the EPEL repository. Having said that, why do you want to do that in the first place? You could just use Google's resolves (8.8.4.4 and 8.8.8.8) or CloudFlare (1.1.1.1 and 1.1.1.2) or the most common, which is to just uses the data center's resolvers. 0 -
Hello, I'm sorry for the delay in response to you. It looks like this might be a bit more complicated but it appears to be doable? I'm not 100% sure on setting this up as customizations but I do believe the pdns configuration can be modified accordingly. Pdns uses authoritative instead of recursion and that's explained in the first link.
Hi @cPanelLauren, Thank you very much for those links! As I"m about to say in my reply to @ffeingol answer, before I created this post I installed the PowerDNS Recursor on our cPanel server based on this local-address
setting. Thanks to that discovery, going through the documentation you linked made complete sense the second time around, so I would like to let you know that I have managed to successfully set up PowerDNS as an authoritative DNS for our .local domains and as a recursor for public domains using Cloudflare. [COLOR=rgb(243, 121, 52)]One Last Inquiry Now Lauren, may I request your knowledge and experience for one final inquiry? As I explained, my goal is to use our cPanel server as a full-fledged web server. This includes using it with NGINX as a reverse proxy primarily for ZKTeco BioSecurity Windows servers. The reason for using NGINX is because it allows us to serve multiple servers behind one IP address, and thanks to Let"s Encrypt and Certbot, I have been able to quickly deploy and effortlessly maintain SSL certificates for them for free. With that being said, what would be the easiest, most user-friendly method of doing this? Please note that I am not requesting this for myself. Unfortunately, I am currently the only person in our company capable of doing this, so while I"m perfectly comfortable doing it all via terminal, I am hoping to simplify the process and document each step so that should something happen to me, the task can be seamlessly handed over to my replacement. By studying your documentation on NGINX, subdomain and add-on domains, thus far I have been able to successfully reverse proxy a server by doing the following:- Create a subdomain for the server, e.g. biosecurity.example.com
- Create the necessary A and CNAME records to obtain an SSL certificate via AutoSSL
- SSH into our cPanel server and locate the account"s NGINX config file to replace the server block for the subdomain in question with the following configuration, taking care to copy the SSL certificate:
server { listen 443 ssl; server_name biosecurity.example.com www.biosecurity.example.com; ssl_certificate /var/cpanel/ssl/apache_tls/biosecurity.example.com/combined; ssl_certificate_key /var/cpanel/ssl/apache_tls/biosecurity.example.com/combined; location / { proxy_pass http://192.168.0.1:8080; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } } server { if ($host = www.example.com) { return 301 https://$host$request_uri; } if ($host = example.com) { return 301 https://$host$request_uri; } listen 80; server_name biosecurity.example.com www.biosecurity.example.com; return 404; }
I don't know about you, but I don"t think it"s a good idea to allow someone solely working off of a document to venture into an NGINX config file crowded with dozens of subdomain server blocks. Unless there"s a way to do this via the WebUI, is it at least possible to put each subdomain into its own config file perhaps? Or will I have to try and clean up the account"s config file withinlcudes
, with the worst-case scenario being to abandon doing this via cPanel altogether and rather just opt for user-defined server blocks for each domain in their own config files via terminal and using Certbot separately to obtain SSL certificates? Looking forward to your reply and thanks again for the help with PowerDNS!0 -
@reginald.novacloud It's prob. not obvious, but PDNS is not like bind. With bind it's both an authoritative and resolving/recursive DNS. The PDNS that cPanel installs is only the authoritative part. The resolving/recursive part of PDNS is an entirely different program that has to be installed: .local domains as well as public domains.
0 -
Hi @reginald.novacloud Sorry about the delay in response to you it's been pretty busy the last couple of days! but I don"t think it"s a good idea to allow someone solely working off of a document to venture into an NGINX config file crowded with dozens of subdomain server blocks.
This being a customization and an experimental feature there wouldn't be a UI for it, my advice would be to always always always create a backup of the file before you make any modification. This is what we do (before I worked in the forums and I was an analyst I almost never looked at the UI just went straight to configuration files) With that being said, the documentation has instructions for creating includes for both global and individual user customizations and this is definitely the recommended way to do this. I would *not* recommend actually editing the Nginx configuration file as it will inevitably be overwritten.0 -
Hi @reginald.novacloud Sorry about the delay in response to you it's been pretty busy the last couple of days! This being a customization and an experimental feature there wouldn't be a UI for it, my advice would be to always always always create a backup of the file before you make any modification. This is what we do (before I worked in the forums and I was an analyst I almost never looked at the UI just went straight to configuration files) With that being said, the documentation has instructions for creating includes for both global and individual user customizations and this is definitely the recommended way to do this. I would *not* recommend actually editing the Nginx configuration file as it will inevitably be overwritten.
Hi Lauren, No worries, I completely understand. I do appreciate getting back to me regardless. Some good news, as it turns out theincludes
work perfectly! Just had to do a little digging around to find this very handy piece of configuration that allows listening on port 80 and 443 in the same NGINX server block and redirect HTTP to HTTPS at the same time. I thought I"ll share my working include file which will pretty much reverse proxy any request in case someone else needs it:if ($scheme = http) { return 301 https://$host$request_uri; } server_name example.com www.example.com; location / { proxy_pass http://192.168.0.1:8080; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; }
Unfortunately, however, as excited as I was when this worked, my excitement faded quickly when I configured the next reverse proxy for a second server and encounter this nasty little error when running AutoSSL: [QUOTE] DNS DCV: The DNS query to "_cpanel-dcv-test-record.novasec.co.za" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=OqvRoqrufUhwz2ZW0UD1KtLZlOO2VzXkDVkHoENuGjFzI8koWTeSGfNA3p6Gy_5b".; HTTP DCV: "cPanel (powered by Sectigo)" forbids DCV HTTP redirections.
As it turns out, AutoSSL won"t run with the abovereturn 301 https://$host$request_uri;
redirection configured. Not only that, but AutoSSL also fails for service subdomains when using NGINX with the following error: [QUOTE] DNS DCV: The DNS query to "_cpanel-dcv-test-record.novacloudsa.co.za" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=PYUV2b4zl7IsvBrt4oJZDLr8H6g68_fAfA0AZBu7bUBO6VdrszW9zGMIOk30y7WD".; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at " because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) "GET" request to " because of an error: (XID hnpasa) The response exceeded the maximum length (16 KB). ( ") at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 657..
After many hours of scouring the web and trying many fixes myself, I have been once again unable to find a solution for the above errors. cPanel"s AutoSSL in partnership with Sectigo is another major reason why I would like to switch to cPanel in favour of Let"s Encrypt, especially after the recent vulnerability in their authority code. With that being said, I think it"s best if I create a new post for the SSL issues. Thanks again for all the help with PowerDNS, @cPanelLauren . Worst case scenario I"ll be opting for the DNSOnly version of cPanel and resort to a pure NGINX server for our hosting and reverse proxying.0 -
@reginald.novacloud That error seems to be specific to the forced redirection to https - can you create an include that allows an exception for the HTTP DCV check to be completed over http? Comodo will not follow redirects which is why this occurs. 0 -
[QUOTE] Fortunately, I kept digging around and finally figured out how to change the listening address to our server"s private IP address by specifying it with the local-address
setting. Thanks to that discovery, going through the documentation you linked made complete sense the second time around, so I would like to let you know that I have managed to successfully set up PowerDNS as an authoritative DNS for our .local domains and as a recursor for public domains using Cloudflare.
@reginald.novacloud and @cPanelLauren I would appreciate some help in configuring the recursor. I have been trying to configure PowerDNS recursor on a cPanel server. But specifying local address to 127.0.0.1 makes the recursor to fail. This has been configured on a stock cPanel configuration: [QUOTE]# nano -w /etc/pdns-recursor/recursor.conf local-address=127.0.0.1 # systemctl restart pdns-recursor Job for pdns-recursor.service failed because the control process exited with error code. See "systemctl status pdns-recursor.service" and "journalctl -xe" for details.
It starts when I use a different port, but recursion is not working: [QUOTE]# nano -w /etc/pdns-recursor/recursor.conf local-address=127.0.0.1:5300 # systemctl restart pdns-recursor # # systemctl status pdns-recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-08-09 23:40:08 UTC; 1min 6s ago # host -t TXT google.com 127.0.0.1 Host google.com not found: 5(REFUSED)0 -
@Dhrupodi - I'm not sure I much I'll be able to add to this, since this isn't a function that is built-in to the cPanel or WHM tools. When I tested this on my end and performed the restart, I see these entries in the Journal logs, indicating it was trying to start on the same port. Although you already discovered this, I wanted to share the log entries for clarity: Aug 10 13:29:38 10-2-35-244.cprapid.com pdns_recursor[3567276]: Exception: Resolver binding to server socket on port 53 for 127.0.0.1: Address already in use Aug 10 13:29:38 10-2-35-244.cprapid.com systemd[1]: pdns-recursor.service: Main process exited, code=exited, status=1/FAILURE Aug 10 13:29:38 10-2-35-244.cprapid.com systemd[1]: pdns-recursor.service: Failed with result 'exit-code'.
However, that seems to be the intended behavior from what I am reading. Since it is a different service, it needs to bind to a different port.0 -
@cPRex thanks a lot for your continued support. The port needed to be specified in local-port. 0 -
I'm glad that's all it took! 0 -
I'd love to see support for PowerDNS Recursor native in WHM/Cpanel. Its great that PowerDNS became the default, but unfortunately its only half the job. Having said that, why do you want to do that in the first place? You could just use Google's resolves (8.8.4.4 and 8.8.8.8) or CloudFlare (1.1.1.1 and 1.1.1.2) or the most common, which is to just uses the data center's resolvers.
At first glance, that would be fine, but another problem is when you enable or switch to PowerDNS Server (say after removing a local IP from resolver.conf and running PDNS Recursor instead of PDNS Server), your server gets instantly blocked by anti-spam RBL facilities. Crippled antispam protection isn't great, it seems they don't like public nameservers like Google, Cloudflare or even my ISP's nameresolver). If you run Recursor like I used to do, it was a pain because everytime the VPS restarted the resolver.conf would reset back to the webhost's preference. Whilst that was the case, until I noticed the change, anti-spam was restricted and less efficient. At the moment I'm trying to add the PDNS Recursor but its not straightforward, even after making sure the port is 953 because PDNS uses 53. I recall trying without much luck trying to use DNSDIST the final part of the PDNS trinity that distributes queries between the PDNS Server and Recursor as needed, but I never could get it to work properly.0
Please sign in to leave a comment.
Comments
15 comments