On each server that you prepared, install and configure PowerDNS so that the following requirements are met:
Note: To learn how to install and configure PowerDNS, please refer to its documentation.
-
The PowerDNS Authoritative service is installed.
-
The backend of the PowerDNS Authoritative service is installed.
-
The service is configured to use the required backend.
-
The service and its backend are configured to start automatically.
-
The service uses a public IP address. For example:
/etc/pdns/pdns.conf ... local-address=PUBLIC_IP_ADDRESS_OF_POWERDNS_SERVER ...
-
The service can act as a primary or secondary DNS server. For example:
/etc/pdns/pdns.conf ... master=yes slave=yes ...
-
DNS zone transfer is allowed between primary and secondary PowerDNS servers. For example:
/etc/pdns/pdns.conf ... disable-axfr=no allow-axfr-ips=PUBLIC_IP_ADDRESS_OF_POWERDNS_SERVER_1 PUBLIC_IP_ADDRESS_OF_POWERDNS_SERVER_2 ...
-
The REST API of the service is enabled and uses the 127.0.0.1 IP address. For example:
/etc/pdns/pdns.conf ... api=yes api-key=REST_API_KEY webserver-address=127.0.0.1 webserver-port=8081 webserver-allow-from=127.0.0.1 ...
- The service and its backend are running.
-
HTTPS access to the REST API of the service is configured:
-
An HTTPS proxy is installed and configured on the server. It uses a private IP address configured on the server and proxies connections to the REST API.
-
This HTTPS proxy uses an SSL certificate that contains the private IP address of the server in its Subject Alternative Name (SAN).
For example, you can generate such an SSL certificate in the following way:
-
Generate a self-signed certificate:
openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
-
Generate a certificate that contains the required private IP address in its SAN and sign it by the certificate you created in step a.
openssl req -newkey rsa:2048 -nodes -keyout cert.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out cert.csr openssl x509 -req -extfile <(printf "subjectAltName=IP:PRIVATE_IP_ADDRESS_OF_POWERDNS_SERVER") -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt
For example, you can install NGINX on the server and configure it to proxy connections:
-
Install NGINX:
yum install nginx -y
-
Disable the default server in
/etc/nginx/nginx.conf:# server { # listen 80; # listen [::]:80; # server_name _; # root /usr/share/nginx/html; # # # Load configuration files for the default server block. # include /etc/nginx/default.d/*.conf; # # error_page 404 /404.html; # location = /404.html { # } # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } # } -
Place your SSL certificate, which contains the private IP address of the server in its SAN, and its private key (
cert.keyandcert.crt) to/etc/nginx/. -
Create
/etc/nginx/conf.d/powerdns.conf:server { listen 443 ssl; ssl_certificate /etc/nginx/cert.crt; ssl_certificate_key /etc/nginx/cert.key; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/powerdns.access.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8081; proxy_read_timeout 90; proxy_redirect http://127.0.0.1:8081 https://PRIVATE_IP_ADDRESS_OF_POWERDNS_SERVER; } } -
Configure NGINX to start automatically:
systemctl enable nginx
-
Start NGINX and check its status:
systemctl start nginx systemctl status nginx
-
Note: After you prepare the server, check that the Operations Support System (oss) component can connect to the PowerDNS REST API of that server. To do this, execute this command in an OSS pod of your Kubernetes cluster: curl -v -k -H 'X-API-Key: REST_API_KEY' https://PRIVATE_IP_ADDRESS_OF_POWERDNS_SERVER/api/v1/servers/localhost