Comprehensive configuration guidance for PowerDNS Authoritative Server with best practices for production environments. This guide covers essential settings, performance tuning, and security considerations.
PowerDNS configuration files are typically located at:
/etc/powerdns/pdns.conf/etc/powerdns/pdns.d/ (on Debian/Ubuntu)/var/run/pdns//var/log/pdns/ (if logging to files)# Listen addresses (IPv4 and IPv6)
local-address=0.0.0.0,::
local-port=53
# User and group to run as
setuid=pdns
setgid=pdns
# Daemon mode
daemon=yes
# Runtime directory
socket-dir=/var/run/pdns
# Logging level (0-9, higher is more verbose)
loglevel=6
# Logging facility (0-7, corresponds to syslog facilities)
logging-facility=0
Choose and configure your backend:
launch=gmysql
# MySQL connection settings
gmysql-host=localhost
gmysql-port=3306
gmysql-user=pdns
gmysql-password=your_secure_password
gmysql-dbname=pdns
gmysql-socket=/var/run/mysqld/mysqld.sock
# Connection pool settings
gmysql-pool-connections=10
# SSL settings (recommended for remote connections)
gmysql-ssl=true
gmysql-ssl-ca-file=/path/to/ca.pem
gmysql-ssl-cert-file=/path/to/client-cert.pem
gmysql-ssl-key-file=/path/to/client-key.pem
launch=gpgsql
# PostgreSQL connection settings
gpgsql-host=localhost
gpgsql-port=5432
gpgsql-user=pdns
gpgsql-password=your_secure_password
gpgsql-dbname=pdns
# Connection pool settings
gpgsql-pool-connections=10
# SSL settings
gpgsql-sslmode=require
launch=gsqlite3
# SQLite database file
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
# Synchronous mode (OFF, NORMAL, FULL)
gsqlite3-synchronous=NORMAL
# Journal mode (DELETE, TRUNCATE, PERSIST, MEMORY, WAL, OFF)
gsqlite3-journal-mode=WAL
Enable the REST API and web interface for management:
# Enable the API
api=yes
# API key for authentication (generate with: openssl rand -hex 32)
api-key=your_generated_api_key_here
# Enable the web server
webserver=yes
# Web server binding
webserver-address=127.0.0.1
webserver-port=8081
# Web server password
webserver-password=your_secure_web_password
# Allowed networks for web access (comma-separated)
webserver-allow-from=127.0.0.1,10.0.0.0/8,192.168.0.0/16
# Web server log file
webserver-loglevel=normal
Enable and configure DNSSEC for enhanced security:
# Enable DNSSEC
enable-dnssec=yes
# DNSSEC algorithm (13=ECDSAP256SHA256, 14=ECDSAP384SHA384, 8=RSA-SHA256)
default-dnssec-algorithm=13
# Default TTL values
default-ttl=3600
default-soa-ttl=3600
default-max-ttl=86400
# SOA settings
default-soa-expire=604800
default-soa-minimum=3600
default-soa-refresh=10800
default-soa-retry=3600
# Default SOA values
default-soa-name=a.misconfigured.dns.server.example.com
default-soa-mail=hostmaster.example.com
Optimize performance for your environment:
# Number of worker threads
threads=4
# Query cache settings
query-cache-ttl=20
query-cache-size=100000
# Packet cache settings
packetcache-ttl=600
packetcache-size=500000
packetcache-servfail-ttl=60
# Database connection settings
gmysql-pool-connections=20
gmysql-pool-name-size=256
# Network settings
reuseport=true
send-root-referral=no
# Security and rate limiting
max-qperq=50
max-queue-length=5000
# AXFR/IXFR settings
xfr-cycle-interval=60
tcp-ranges=53
Enable Lua scripting for dynamic responses:
# Enable Lua records
enable-lua-records=yes
# Lua record cache settings
lua-health-checks-expire-delay=30
Configure different responses based on client subnet:
# Enable views
launch=gmysql,gpgsql # Multiple backends if needed
# Example view configuration would be done via API/database
# Views allow different responses based on client IP
Enable catalog zones for zone management:
# Enable catalog zones (requires backend support)
catalog-zones-enabled=yes
# Allow AXFR from specific IPs
allow-axfr-ips=127.0.0.1,10.0.0.0/8
# Allow from specific networks
allow-from=0.0.0.0/0,::/0
# Prevent recursion
disable-axfr=no
allow-axfr-without-tsig=no
# Response Rate Limiting (RRL)
# Note: RRL is available in DNSdist, not in the authoritative server directly
# For authoritative server, use:
max-qperq=50
Enable monitoring capabilities:
# Statistics ring buffer size
statistics-ringbuffer-size=10000
# Enable extended statistics
extended-statistics=yes
# Log queries (use carefully in production)
log-dns-details=off
log-dns-queries=off
Before applying configuration changes, validate them:
# Check configuration syntax
pdns_server --config
# Test configuration without starting the service
pdns_server --config-dir=/etc/powerdns --daemon=no --guardian=no
# Verify API connectivity
curl -X GET \\
-H "X-API-Key: your_api_key_here" \\
http://127.0.0.1:8081/api/v1/servers/localhost
After making changes to the configuration:
# Restart the PowerDNS service
sudo systemctl restart pdns
# Or reload if supported
sudo systemctl reload pdns
# Check service status
sudo systemctl status pdns
# Monitor logs during restart
sudo journalctl -u pdns -f
Validate your configuration with DNS testing tools:
# Test basic functionality
dig @localhost example.com
# Test DNSSEC validation
dig @localhost example.com +dnssec +multiline
# Test API functionality
curl -X GET \\
-H "X-API-Key: your_api_key_here" \\
http://127.0.0.1:8081/api/v1/servers/localhost/zones
# PowerDNS Production Configuration
# /etc/powerdns/pdns.conf
# Basic server settings
local-address=0.0.0.0,::
local-port=53
setuid=pdns
setgid=pdns
daemon=yes
socket-dir=/var/run/pdns
loglevel=6
logging-facility=0
# Backend (choose one)
launch=gmysql
gmysql-host=localhost
gmysql-user=pdns
gmysql-password=your_secure_password
gmysql-dbname=pdns
gmysql-pool-connections=20
# API and web interface
api=yes
api-key=your_generated_api_key
webserver=yes
webserver-address=127.0.0.1
webserver-port=8081
webserver-password=your_secure_web_password
webserver-allow-from=127.0.0.1
# DNSSEC
enable-dnssec=yes
default-dnssec-algorithm=13
# Performance
threads=4
reuseport=true
query-cache-ttl=20
query-cache-size=100000
# Security
allow-axfr-ips=127.0.0.1
max-qperq=50
pdns_server --configdig @localhost locallyEvery DNS deployment is unique. We provide consulting for:
Get personalized assistance: office@linux-server-admin.com | Contact Page.