PowerDNS to Resolve DNS Queries not in its Database

Operating System & Version
CentOS 7.7
cPanel & WHM Version
11.86.0.16
Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
I honestly find it hard to believe that I cannot seem to find anything about this on the Internet.

I love cPanel. And I just couldn’t resist choosing it over ISPconfig. Please note that this is my first time setting up a DNS server, however, I know how DNS works and I’m familiar with BIND. I also have an NGINX reverse proxy server proxying and providing SSL via Certbot and Let’s Encrypt for about 5 servers including our UniFi Cloud Controller. Furthermore, I also have a LibreNMS and phpIPAM server running NGINX and PHP-FPM.

The reason for a cPanel server is to primarily migrate all our web servers to a single server, as I feel it’s a waste of resources to run multiple Linux servers with each running their own instance of NGINX. It’s just too much unnecessary OS and application overhead.

With that being said, my first challenge is getting DNS to work using PowerDNS. I have created the .local domain, and A records resolve successfully, however, I can’t use cPanel as a primary name server, as no other DNS queries will resolve (for e.g. google.com). Correct me if I’m wrong, but this is recursive DNS, correct? And from what I can gather by going through the PowerDNS documentation, is that it does support it. So how do I get it to work on cPanel’s PowerDNS?

P.S. I can get this to work when I switch to BIND and make a few changes in its config file (recursion is now disabled by default), however, the switch caused an issue where one of my zones wouldn’t resolve anymore, so I reinstalled and I’m giving PowerDNS one last try before giving up on it.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,


What (if any) changes have you already made in the pdns.conf? We do use a bind backend for pdns and the configuration really shouldn't be much different as far a functionality goes.



Otherwise please provide examples of what specifically you've configured/changed thus far as well as what's in the resolv.conf
 
Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
Hello,


What (if any) changes have you already made in the pdns.conf? We do use a bind backend for pdns and the configuration really shouldn't be much different as far a functionality goes.



Otherwise please provide examples of what specifically you've configured/changed thus far as well as what's in the resolv.conf
Hi Lauren,

Thank you very much for your reply and for your assistance.

I have not made any changes to pdns.conf. Scouring the documentation and forms I did indeed discover that cPanel still uses BIND as a backend for PowerDNS, so the changes I made to named.conf are as follows:

Code:
recursion yes;
allow-query { 10.0.0.0/8; };
listen-on { IP.private; };
This works when I use BIND, but not when I use PowerDNS. In fact, if I add the allow-query and listen-on options, PowerDNS completely fails to start.

As for my resolv.conf file, it looks like this:

Code:
# Generated by NetworkManager
nameserver 1.1.1.1
nameserver 1.0.0.1
Of course, NetworkManager is disabled.

Thanks again for your time Lauren, and I look forward to your reply.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,

I'm sorry for the delay in response to you. It looks like this might be a bit more complicated but it appears to be doable? I'm not 100% sure on setting this up as customizations but I do believe the pdns configuration can be modified accordingly. Pdns uses authoritative instead of recursion and that's explained in the first link.
 
  • Like
Reactions: reginald.novacloud

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
631
207
343
cPanel Access Level
DataCenter Provider
@reginald.novacloud It's prob. not obvious, but PDNS is not like bind. With bind it's both an authoritative and resolving/recursive DNS. The PDNS that cPanel installs is only the authoritative part. The resolving/recursive part of PDNS is an entirely different program that has to be installed: Welcome to PowerDNS. If you do want to install it, it's in the EPEL repository.

Having said that, why do you want to do that in the first place? You could just use Google's resolves (8.8.4.4 and 8.8.8.8) or CloudFlare (1.1.1.1 and 1.1.1.2) or the most common, which is to just uses the data center's resolvers.
 
Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
Hello,

I'm sorry for the delay in response to you. It looks like this might be a bit more complicated but it appears to be doable? I'm not 100% sure on setting this up as customizations but I do believe the pdns configuration can be modified accordingly. Pdns uses authoritative instead of recursion and that's explained in the first link.
Hi @cPanelLauren,

Thank you very much for those links! As I’m about to say in my reply to @ffeingol answer, before I created this post I installed the PowerDNS Recursor on our cPanel server based on this post, however, the OP said it would “work out of the box,” so when it didn’t, and because all the low-level workings and configuration thereof were quite new to me (as I said, this is my first time setting up a DNS server), I just thought it best to reach out to the forums as I was unable to find a post or guide that applied to our scenario.

Fortunately, I kept digging around and finally figured out how to change the listening address to our server’s private IP address by specifying it with the local-address setting. Thanks to that discovery, going through the documentation you linked made complete sense the second time around, so I would like to let you know that I have managed to successfully set up PowerDNS as an authoritative DNS for our .local domains and as a recursor for public domains using Cloudflare.

One Last Inquiry

Now Lauren, may I request your knowledge and experience for one final inquiry? As I explained, my goal is to use our cPanel server as a full-fledged web server. This includes using it with NGINX as a reverse proxy primarily for ZKTeco BioSecurity Windows servers. The reason for using NGINX is because it allows us to serve multiple servers behind one IP address, and thanks to Let’s Encrypt and Certbot, I have been able to quickly deploy and effortlessly maintain SSL certificates for them for free.

With that being said, what would be the easiest, most user-friendly method of doing this? Please note that I am not requesting this for myself. Unfortunately, I am currently the only person in our company capable of doing this, so while I’m perfectly comfortable doing it all via terminal, I am hoping to simplify the process and document each step so that should something happen to me, the task can be seamlessly handed over to my replacement.

By studying your documentation on NGINX, subdomain and add-on domains, thus far I have been able to successfully reverse proxy a server by doing the following:
  1. Create a subdomain for the server, e.g. biosecurity.example.com
  2. Create the necessary A and CNAME records to obtain an SSL certificate via AutoSSL
  3. SSH into our cPanel server and locate the account’s NGINX config file to replace the server block for the subdomain in question with the following configuration, taking care to copy the SSL certificate:
Code:
server {

    listen 443 ssl;
    server_name biosecurity.example.com www.biosecurity.example.com;

    ssl_certificate /var/cpanel/ssl/apache_tls/biosecurity.example.com/combined;
    ssl_certificate_key /var/cpanel/ssl/apache_tls/biosecurity.example.com/combined;

    location / {

        proxy_pass http://192.168.0.1:8080;
        proxy_http_version  1.1;
        proxy_cache_bypass  $http_upgrade;

        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;

    }

}

server {

    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    }

    if ($host = example.com) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name biosecurity.example.com www.biosecurity.example.com;
    return 404;

}
I don't know about you, but I don’t think it’s a good idea to allow someone solely working off of a document to venture into an NGINX config file crowded with dozens of subdomain server blocks.

Unless there’s a way to do this via the WebUI, is it at least possible to put each subdomain into its own config file perhaps? Or will I have to try and clean up the account’s config file with inlcudes, with the worst-case scenario being to abandon doing this via cPanel altogether and rather just opt for user-defined server blocks for each domain in their own config files via terminal and using Certbot separately to obtain SSL certificates?

Looking forward to your reply and thanks again for the help with PowerDNS!
 
  • Like
Reactions: cPanelLauren
Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
@reginald.novacloud It's prob. not obvious, but PDNS is not like bind. With bind it's both an authoritative and resolving/recursive DNS. The PDNS that cPanel installs is only the authoritative part. The resolving/recursive part of PDNS is an entirely different program that has to be installed: Welcome to PowerDNS. If you do want to install it, it's in the EPEL repository.

Having said that, why do you want to do that in the first place? You could just use Google's resolves (8.8.4.4 and 8.8.8.8) or Cloudflare (1.1.1.1 and 1.1.1.2) or the most common, which is to just uses the data centre's resolvers.
Hi @ffeingol,

Indeed, as I explained in my reply to @cPanelLauren, apart from PowerDNS being able to use a database for its backend (which is, in fact, the reason why I discovered PowerDNS in the first place even before cPanel), I soon realised the separation of authoritative and recursor services as well. From a security point of view, I think this was an excellent move. Thanks for the link and the note on EPEL repository. Much appreciated.

To answer your question, we are using WireGuard as a VPN and, unfortunately, it doesn’t yet support DNS suffixes/search domains in its config file. This creates a problem as it creates and destroys a network adapter upon each activation and deactivation, so even if you specify a suffix in the adapter’s IPv4 settings, if you ever need to restart the client, those settings are lost. For this reason, we need to be able to use our cPanel DNS server as our primary DNS server to resolve our own private .local domains as well as public domains.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @reginald.novacloud

Sorry about the delay in response to you it's been pretty busy the last couple of days!

but I don’t think it’s a good idea to allow someone solely working off of a document to venture into an NGINX config file crowded with dozens of subdomain server blocks.
This being a customization and an experimental feature there wouldn't be a UI for it, my advice would be to always always always create a backup of the file before you make any modification. This is what we do (before I worked in the forums and I was an analyst I almost never looked at the UI just went straight to configuration files)

With that being said, the documentation has instructions for creating includes for both global and individual user customizations and this is definitely the recommended way to do this. I would *not* recommend actually editing the Nginx configuration file as it will inevitably be overwritten.
 
  • Like
Reactions: reginald.novacloud
Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
Hi @reginald.novacloud

Sorry about the delay in response to you it's been pretty busy the last couple of days!


This being a customization and an experimental feature there wouldn't be a UI for it, my advice would be to always always always create a backup of the file before you make any modification. This is what we do (before I worked in the forums and I was an analyst I almost never looked at the UI just went straight to configuration files)

With that being said, the documentation has instructions for creating includes for both global and individual user customizations and this is definitely the recommended way to do this. I would *not* recommend actually editing the Nginx configuration file as it will inevitably be overwritten.
Hi Lauren,

No worries, I completely understand. I do appreciate getting back to me regardless.

Some good news, as it turns out the includes work perfectly! Just had to do a little digging around to find this very handy piece of configuration that allows listening on port 80 and 443 in the same NGINX server block and redirect HTTP to HTTPS at the same time. I thought I’ll share my working include file which will pretty much reverse proxy any request in case someone else needs it:

Code:
if ($scheme = http) {
    return 301 https://$host$request_uri;
}

server_name example.com www.example.com;

location / {

    proxy_pass http://192.168.0.1:8080;
    proxy_http_version  1.1;
    proxy_cache_bypass  $http_upgrade;

    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "upgrade";
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

}
Unfortunately, however, as excited as I was when this worked, my excitement faded quickly when I configured the next reverse proxy for a second server and encounter this nasty little error when running AutoSSL:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.novasec.co.za” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=OqvRoqrufUhwz2ZW0UD1KtLZlOO2VzXkDVkHoENuGjFzI8koWTeSGfNA3p6Gy_5b”.; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
As it turns out, AutoSSL won’t run with the above return 301 https://$host$request_uri; redirection configured.

Not only that, but AutoSSL also fails for service subdomains when using NGINX with the following error:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.novacloudsa.co.za” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=PYUV2b4zl7IsvBrt4oJZDLr8H6g68_fAfA0AZBu7bUBO6VdrszW9zGMIOk30y7WD”.; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel.novacloudsa.co.za/.well-known/pki-validation/6AB7F975E4807393A97577BF7770B414.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel.novacloudsa.co.za/.well-known/pki-validation/6AB7F975E4807393A97577BF7770B414.txt” because of an error: (XID hnpasa) The response exceeded the maximum length (16 KB). (<!DOCTYPE html><html lang="en" dir="ltr"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> …) at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 657..
After many hours of scouring the web and trying many fixes myself, I have been once again unable to find a solution for the above errors. cPanel’s AutoSSL in partnership with Sectigo is another major reason why I would like to switch to cPanel in favour of Let’s Encrypt, especially after the recent vulnerability in their authority code.

With that being said, I think it’s best if I create a new post for the SSL issues.

Thanks again for all the help with PowerDNS, @cPanelLauren . Worst case scenario I’ll be opting for the DNSOnly version of cPanel and resort to a pure NGINX server for our hosting and reverse proxying.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
@reginald.novacloud

That error seems to be specific to the forced redirection to https - can you create an include that allows an exception for the HTTP DCV check to be completed over http? Comodo will not follow redirects which is why this occurs.