Table of Contents
The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. Starting from the version 3.0 pre-releases, there are zero known bugs or issues with the recursor. It is known to power the resolving needs of over 100 million internet connections.
The documentation below is only for the 3.0 series, users of older versions are urged to upgrade!
Notable features:
Uses MTasker (homepage)
Can handle thousands of concurrent questions. A quad Xeon 3GHz has been measured functioning very well at 40000 real life replayed packets per second, with 40% cpu idle. More testing equipment is needed to max out the recursor.
Powered by a highly modern DNS packet parser that should be resistant against many forms of buffer overflows.
Best spoofing protection that we know about, involving both source port randomisation and spoofing detection.
Uses 'connected' UDP sockets which allow the recursor to react quickly to unreachable hosts or hosts for which the server is running, but the nameserver is down. This makes the recursor faster to respond in case of misconfigured domains, which are sadly very frequent.
Special support for FreeBSD, Linux and Solaris stateful multiplexing (kqueue, epoll, completion ports, /dev/poll).
Very fast, and contains innovative query-throttling code to save time talking to obsolete or broken nameservers.
Code is written linearly, sequentially, which means that there are no problems with 'query restart' or anything.
Relies heavily on Standard C++ Library infrastructure, which makes for little code (406 core lines).
Is very verbose in showing how recursion actually works, when enabled to do so with --verbose.
The algorithm is simple and quite nifty.
The PowerDNS recursor is controlled and queried using the rec_control
tool.
At startup, the recursing nameserver reads the file recursor.conf
from the configuration directory,
often /etc/powerdns
or /usr/local/etc
. Each setting below can appear on the command line,
prefixed by '--', or in the configuration file. The command line overrides the configuration file.
A switch can be set to on simply by passing it, like '--daemon', and turned off explicitly by '--daemon=off' or '--daemon=no'.
The following settings can be configured:
If turned on, the recursor will attempt to add AAAA IPv6 records to questions for MX records and NS records. Can be quite slow as absence of these records in earlier answers does not guarantee their non-existence. Can double the amount of queries needed. Off by default.
Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 private IP addresses, like 10.0.0.0/8. Due to the aggressive nature of the internet these days, it is highly recommended to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do not get an answer.
Like allow-from, except reading from file. Overrides the 'allow-from' setting. To use this feature, supply one netmask per line, with optional comments preceeded by a #. Available since 3.1.5.
Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a 'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. This will mean a slight deterioration of performance, and it will not solve any problems, but does make the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.
Comma separated list of 'zonename=filename' pairs. Zones read from these files are served authoritatively. Example: auth-zones= ds9a.nl=/var/zones/ds9a.nl, powerdns.com=/var/zones/powerdns.com. Available since 3.1.
If set, chroot to this directory for more security. See Chapter 7, Security settings & considerations.
Make sure that /dev/log
is available from within the chroot. Logging will silently fail
over time otherwise (on logrotate).
Time to wait for data from TCP clients. Defaults to 2 seconds.
Directory where the configuration file can be found.
Operate in the background, which is the default.
A Verisign special.
Turn off the packet cache. Useful when running with Lua scripts that can not be cached. Available since 3.2.
The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query private space IP addresses. This setting can be used to expand or reduce the limitations.
From version 3.1.5 onwards, PowerDNS can read entropy from a (hardware) source. This is used for generating random numbers
which are very hard to predict. Generally on UNIX platforms, this source will be
/dev/urandom
, which will always supply random numbers, even if entropy is lacking.
Change to /dev/random
if PowerDNS should block waiting for enough entropy to arrive.
If set, this flag will export the host names and IP addresses mentioned in /etc/hosts
. Available since 3.1.
If set, all hostnames in the export-etc-hosts file are loaded in canonical form, based on this suffix, unless the name contain a '.', in which case the name is unchanged. So an entry called 'pc' with export-etc-hosts-suffix='home.com' will lead to the generation of 'pc.home.com' within the recursor. An entry called 'server1.home' will be stored as 'server1.home', regardless of the export-etc-hosts setting. Available in since 3.4.
If running on an SMP system with enough memory, this feature forks PowerDNS so it benefits from two processors. Experimental. Renames controlsockets, so care is needed to connect to the right one using rec_control, using --socket-pid. Available in versions of the Recursor before 3.2, replaced by the 'threads' setting.
Comma separated list of 'zonename=IP' pairs. Queries for zones listed here will be forwarded to the IP address listed. forward-zones= ds9a.nl=213.244.168.210, powerdns.com=127.0.0.1. Available since 3.1.
Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=ds9a.nl=213.244.168.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530, or on the command line: --forward-zones="ds9a.nl=213.244.168.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530",
Forwarded queries have the 'recursion desired' bit set to 0, meaning that this setting is intended to forward queries to authoritative servers.
Same as forward-zones, parsed from a file. Only 1 zone is allowed per line, specified as follows: ds9a.nl=213.244.168.210, 1.2.3.4:5300. No comments are allowed. Available since 3.1.5.
Since 3.2, zones prefixed with a '+' are forwarded with the recursion-desired bit set to one, for which see 'forward-zones-recurse'. Default behaviour without '+' is as with 'forward-zones'.
Like regular 'forward-zones' (see above), but forwarded queries have the 'recursion desired' bit set to 1, meaning that this setting is intended to forward queries to authoritative servers or to resolving servers. Available since 3.2.
If set, the root-hints are read from this file. If unset, default root hints are used. Available since 2.9.19.
Local IPv4 or IPv6 addresses to bind to, comma separated. Defaults to only loopback. Addresses can also contain port numbers, for IPv4 specify like this: 1.2.3.4:5300, for IPv6: [::1]:5300. Port specifications are available since 3.1.2.
![]() | Warning |
---|---|
When binding to wildcard addresses, UNIX semantics mean that answers may not be sent from the address a query was received on. It is highly recommended to bind to explicit addresses. |
Local port (singular) to bind to. Defaults to 53.
Some DNS errors occur rather frequently and are no cause for alarm. Logging these is on by default.
If set to a digit, logging is performed under this LOCAL facility. See Section 3, “Operational logging using syslog”. Available from 3.1.3 and onwards. Do not pass names like 'local0'!
Maximum number of DNS cache entries. 1 million per thread will generally suffice for most installations.
Maximum number of Packet Cache entries. 1 million per thread will generally suffice for most installations. Available since 3.2.
Maximum number of seconds to cache an item in the DNS cache, no matter what the original TTL specified. Available since 3.2.
A query for which there is authoritatively no answer is cached to quickly deny a record's existence later on, without putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of thousands of hosts which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative entries are cached.
Maximum number of simultaneous incoming TCP connections allowed. Defaults to 128. Available since 2.9.18.
Maximum number of simultaneous incoming TCP connections allowed per client (remote IP address). Defaults to 0, which means unlimited.
Number of milliseconds to wait for a remote authoritative server to respond. Defaults to 1500 msec, available since 3.2.
Maximum number of seconds to cache an item in the packet cache, no matter what the original TTL specified. Available since 3.2.
Maximum number of seconds to cache a 'server failure' answer in the packet cache. Available since 3.2.
Send out local queries from this address, or addresses. Since 3.2, by adding multiple addresses, increased spoofing resilience is achieved. Addresses can be separated by a comma.
Send out local IPv6 queries from this address or addresses Disabled by default, which also disables outgoing IPv6 support. Since version 3.2, multiple addresses can be specified, separated by a comma.
Don't log queries. On by default.
Number of entries in the remotes ringbuffer, which keeps statistics on who is querying your server. Can be read out using rec_control top-remotes. Defaults to 0.
On by default, this makes the server authoritatively aware of: 10.in-addr.arpa
,
168.192.in-addr.arpa
, 16-31.172.in-addr.arpa
, which saves
load on the AS112 servers. Individual parts of these zones can still be loaded or forwarded.
The PowerDNS recursor by replies to a query for 'id.server' with its hostname, useful for in clusters. Use this setting to override the answer it gives.
PowerDNS can change its user and group id after binding to its socket. Can be used for better security.
Where to store the control socket. This option also works with the controller, rec_control.
Owner, group and mode of the controlsocket. Owner and group can be specified by name, mode is in octal.
If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20.
If turned on, output impressive heaps of logging. May destroy performance under load.
Print version of this binary. Useful for checking which version of the PowerDNS recursor is installed on a system. Available since 3.1.5.
By default, PowerDNS replies to the 'version.bind' query with its version number. Security conscious users may wish to override the reply PowerDNS issues.