Chapter 12. PowerDNS resolver/recursing nameserver

The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. Starting from the version 3.0 pre-releases, there are zero known bugs or issues with the recursor. It is known to power the resolving needs of over 2 million internet connections.

The documentation below is only for the 3.0 series, users of older versions are urged to upgrade!

Notable features:

The PowerDNS recursor is controlled and queried using the rec_control tool.

12.1. pdns_recursor settings

At startup, the recursing nameserver reads the file recursor.conf from the configuration directory, often /etc/powerdns or /usr/local/etc. Each setting below can appear on the command line, prefixed by '--', or in the configuration file. The command line overrides the configuration file.

A switch can be set to on simply by passing it, like '--daemon', and turned off explicitly by '--daemon=off' or '--daemon=no'.

The following settings can be configured:

aaaa-additional-processing

If turned on, the recursor will attempt to add AAAA IPv6 records to questions for MX records and NS records. Can be quite slow as absence of these records in earlier answers does not guarantee their non-existance. Can double the amount of queries needed. Off by default.

allow-from

Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 private IP addresses, like 10.0.0.0/8. Due to the agressive nature of the internet these days, it is highly recommended to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do not get an answer.

auth-can-lower-ttl

Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a 'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. This will mean a slight deterioration of performance, and it will not solve any problems, but does make the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.

auth-zones

Comma separated list of 'zonename=filename' pairs. Zones read from these files are served authoritatively. Example: auth-zones= ds9a.nl=/var/zones/ds9a.nl, powerdns.com=/var/zones/powerdns.com. Available since 3.1.

chroot

If set, chroot to this directory for more security. See Chapter 7.

client-tcp-timeout

Time to wait for data from TCP clients. Defaults to 2 seconds.

config-dir

Directory where the configuration file can be found.

daemon

Operate in the background, which is the default.

delegation-only

A Verisign special.

dont-query

The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query private space IP addresses. This setting can be used to expand or reduce the limitations.

export-etc-hosts

If set, this flag will export the host names and IP addresses mentioned in /etc/hosts. Available since 3.1.

fork

If running on an SMP system with enough memory, this feature forks PowerDNS so it benefits from two processors. Experimental. Renames controlsockets, so care is needed to connect to the right one using rec_control, using --socket-pid.

forward-zones

Comma separated list of 'zonename=IP' pairs. Queries for zones listed here will be forwarded to the IP address listed. forward-zones= ds9a.nl=213.244.168.210, powerdns.com=127.0.0.1. Available since 3.1.

forward-zones-file

Same as forward-zones, parsed from a file. Only 1 zone is allowed per line, specified as follows: ds9a.nl=213.244.168.210. Available since 3.1.5.

hint-file

If set, the root-hints are read from this file. If unset, default root hints are used. Available since 2.9.19.

local-address

Local IPv4 or IPv6 addresses to bind to, comma separated. Defaults to only loopback. Addresses can also contain port numbers, for IPv4 specify like this: 1.2.3.4:5300, for IPv6: [::1]:5300. Port specifications are available since 3.1.2.

local-port

Local port (singular) to bind to. Defaults to 53.

log-common-errors

Some DNS errors occur rather frequently and are no cause for alarm. Logging these is on by default.

logging-facility

If set to a digit, logging is performed under this LOCAL facility. See Section 6.3>. Available from 3.1.3 and onwards. Do not pass names like 'local0'!

max-cache-entries

Maximum number of cache entries. 1 million will generally suffice for most installations.

max-negative-ttl

A query for which there is authoritatively no answer is cached to quickly deny a record's existence later on, without putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of thousands of hosts which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative entries are cached.

max-tcp-clients

Maximum number of simultaneous incoming TCP connections allowed. Defaults to 128. Available since 2.9.18.

max-tcp-per-client

Maximum number of simultaneous incoming TCP connections allowed per client (remote IP address). Defaults to 0, which means unlimited.

query-local-address

Send out local queries from this address. Useful for anycast.

query-local-address6

Send out local IPv6 queries from this address. Disabled by default, which also disables outgoing IPv6 support. A useful setting is ::0.

quiet

Don't log queries. On by default.

remotes-ringbuffer-entries

Number of entries in the remotes ringbuffer, which keeps statistics on who is querying your server. Can be read out using rec_control top-remotes. Defaults to 0.

serve-rfc1918

On by default, this makes the server authoritatively aware of: 10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which saves load on the AS112 servers. Individual parts of these zones can still be loaded or forwarded.

server-id

The PowerDNS recursor by replies to a query for 'id.server' with its hostname, useful for in clusters. Use this setting to override the answer it gives.

setgid, setuid

PowerDNS can change its user and group id after binding to its socket. Can be used for better security.

socket-dir

Where to store the control socket. This option also works with the controller, rec_control.

spoof-nearmiss-max

If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20.

trace

If turned on, output impressive heaps of logging. May destroy performance under load.

version

Print version of this binary. Useful for checking which version of the PowerDNS recursor is installed on a system. Available since 3.1.5.

version-string

By default, PowerDNS replies to the 'version.bind' query with its version number. Security concious users may wish to override the reply PowerDNS issues.