No description

Python 37.2%
Shell 32.1%
HTML 30.1%
Makefile 0.6%

Find a file

navigator 03f520b871 v18.0-6: move nginx symlink before IPv6 section (set -e safety)		2026-03-19 15:43:23 +00:00
conf.d	v18.0-4: dashboard API fix, confconsole plugin, dialog ASCII	2026-03-19 14:34:28 +00:00
overlay	v18.0-6: move nginx symlink before IPv6 section (set -e safety)	2026-03-19 15:43:23 +00:00
plan	first commit	2026-03-18 18:49:56 -03:00
.gitignore	v18.0-4: dashboard API fix, confconsole plugin, dialog ASCII	2026-03-19 14:34:28 +00:00
changelog	first commit	2026-03-18 18:49:56 -03:00
Makefile	Fixing IP exposure and API	2026-03-19 13:00:46 +00:00
README.md	Update readme to .md	2026-03-18 19:00:20 -03:00
removelist	first commit	2026-03-18 18:49:56 -03:00

README.md

PowerDNS Recursor - Internal DNS Resolver

PowerDNS Recursor_ is a high-performance recursive DNS resolver with advanced features including split-horizon DNS, DNS64 for NAT64 environments, and DNSSEC validation.

This appliance includes all the standard features in TurnKey Core_, and on top of that:

PowerDNS Recursor pre-configured as a recursive DNS resolver with forwarding to public resolvers (1.1.1.1, 1.0.0.1).
Split-horizon DNS via auth-zones: override external zones with internal IP addresses for local clients. Ideal for avoiding hairpin NAT — internal clients reach services directly instead of going through the public IP.
DNS64 support for IPv6-first/NAT64 environments: synthesizes AAAA records for IPv4-only destinations using the well-known 64:ff9b::/96 prefix.
Web stats dashboard (port 443, SSL) showing real-time metrics: cache hit rate, query latency, DNS64 counters, concurrent queries.
Zone management helper (pdns-zones) CLI for listing, reloading, and testing auth-zones.
Periodic zone reload via cron (every 5 minutes) for CI/CD integration — push zone files via SCP and they auto-activate.
Confconsole plugin for easy configuration of allowed networks, upstream forwarders, DNS64 prefix, and auth-zones.
DNSSEC validation enabled by default (process mode).
Nginx reverse proxy with SSL for the stats API.
SSL/TLS support via Let's Encrypt_ (confconsole).
Webmin_ for server administration (listening on port 12321).

Usage

Split-horizon (internal DNS)::

# Place your zone files in /etc/powerdns/zones/internal/
# Then configure auth-zones in /etc/powerdns/recursor.conf:
auth-zones=pop.coop=/etc/powerdns/zones/internal/pop.coop

# Or use confconsole: Advanced > PowerDNS Recursor > auth_zones

# Reload:
pdns-zones reload

DNS64 (for NAT64 environments)::

# Enable in recursor.conf:
dns64-prefix=64:ff9b::/96

# Or use confconsole: Advanced > PowerDNS Recursor > dns64

# Requires a NAT64 gateway (e.g., VyOS with jool/tayga)
# using the same prefix on the network.

CI/CD Integration::

# Push zone files from your pipeline:
scp dns/internal/zones/pop.coop root@dns01:/etc/powerdns/zones/internal/pop.coop

# Zones auto-reload every 5 minutes via cron,
# or force immediate reload:
ssh root@dns01 "rec_control reload-zones"

Credentials

Webmin: https://APPLIANCE_IP:12321 (root / password set at first boot)
Stats: https://APPLIANCE_IP/ (SSL, no auth required)
SSH: APPLIANCE_IP:22 (root / password set at first boot)

.. _PowerDNS Recursor: https://www.powerdns.com/recursor.html .. _TurnKey Core: https://www.turnkeylinux.org/core .. _Let's Encrypt: https://letsencrypt.org .. _Webmin: https://www.webmin.com