Skip to main content

1.1.0 -

PowerDNS + PowerDNS-Admin

AWS Marketplace AMI

A production-ready, self-hosted authoritative DNS server with a powerful web-based management interface.

Overview

This AMI provides a complete DNS hosting solution with:

Component Description
PowerDNS High-performance authoritative DNS server
PowerDNS-Admin Modern web interface for DNS zone management
PostgreSQL Reliable database backend
Docker Containerized deployment for easy updates

Requirements

Instance Size

Size vCPU RAM Recommended For
t3.small 2 2 GB Development, testing, small deployments
t3.medium 2 4 GB Production with moderate DNS traffic
t3.large 2 8 GB High-traffic production environments

Minimum: t3.small (2 vCPU, 2 GB RAM)

Storage

Volume Size Purpose
Root (EBS) 8 GB Operating system and Docker
Data (EBS) 10 GB+ DNS data, database, certificates

Important: Attach a separate EBS volume for persistent data storage. This ensures your DNS zones and configuration survive instance replacement.

Network (Security Group)

Port Protocol Purpose
22 TCP SSH access
53 TCP/UDP DNS queries
80 TCP HTTP (Let's Encrypt validation or HTTPS mode)
443 TCP HTTPS (if enabled)
8081 TCP PowerDNS API (restrict to trusted IPs)
9191 TCP PowerDNS-Admin web UI (HTTP mode only)

Quick Start

Step 1: Launch and Configure

  1. Launch the instance with an attached EBS volume for data

  2. Connect via SSH:

    ssh -i your-key.pem ubuntu@your-instance-ip

  3. Run the configuration script:

    sudo /opt/powerdns/configure-powerdns.sh

  4. Follow the prompts to configure:

    • Domain or IP address
    • HTTPS with Let's Encrypt (optional, requires domain)

Step 2: Create Admin Account

  1. Open PowerDNS-Admin in your browser:

    • HTTP mode: http://YOUR-IP:9191
    • HTTPS mode: https://YOUR-DOMAIN

  2. Click "Create an account" to register your admin user

  3. Log in with your new credentials

Step 3: Connect to PowerDNS API

  1. Go to Settings > PDNS

  2. Configure the following:

    Setting Value
    PowerDNS API URL http://powerdns:8081
    PowerDNS API Key (shown after configuration, see below)
    PowerDNS Version 4.1.1

  3. Click Save Settings

Finding Your API Key

The API key is displayed after running the configuration script. You can also retrieve it anytime:

sudo cat /opt/powerdns/.credentials

Automated Configuration (User-Data)

For automated deployments, launch with JSON user-data:

{
  "host": "dns.example.com",
  "https": true,
  "letsencrypt_email": "admin@example.com"
}

Parameters:

Parameter Required Default Description
host No Public IP Domain or IP for web interface
https No false Enable Let's Encrypt SSL
letsencrypt_email If https=true - Email for SSL certificates

After automated setup, create your admin account through the web UI and configure the API connection as described above.

Management Commands

Use the powerdns-cli command for day-to-day management:

# Check service status
powerdns-cli status

# View logs
powerdns-cli logs              # All services
powerdns-cli logs powerdns     # PowerDNS only
powerdns-cli logs powerdns-admin   # Admin interface only

# Service control
sudo powerdns-cli start
sudo powerdns-cli stop
sudo powerdns-cli restart

# View configuration and credentials
powerdns-cli info
sudo powerdns-cli credentials

# Update to latest versions
sudo powerdns-cli update

# Backup and restore
sudo powerdns-cli backup
sudo powerdns-cli restore /path/to/backup.tar.gz

# Testing
powerdns-cli dns-test
powerdns-cli api-test
powerdns-cli zones
powerdns-cli version

Using PowerDNS-Admin

Creating DNS Zones

  1. Click Create Zone in the left menu
  2. Enter the domain name (e.g., example.com)
  3. Select zone type:
    • Native: Standard authoritative zone
    • Master: Primary server for zone transfers
    • Slave: Secondary server receiving transfers
  4. Click Create

Adding DNS Records

  1. Select a domain from the dashboard
  2. Click Add Record
  3. Choose record type (A, AAAA, CNAME, MX, TXT, SRV, CAA, etc.)
  4. Enter name, content, and TTL
  5. Click Save

User Management

  1. Go to Users in the left menu
  2. Create additional user accounts as needed
  3. Assign appropriate permissions

HTTPS Setup

With Let's Encrypt (Recommended for Production)

During configuration, enter a domain name (not IP) and choose to enable HTTPS:

Requirements:

  • Domain must point to this server's IP before configuration
  • Ports 80 and 443 must be accessible from the internet
  • Provide a valid email for certificate notifications

Certificates renew automatically every 60 days.

Without HTTPS

When using an IP address or declining HTTPS, the web interface runs on port 9191 over HTTP. This is suitable for:

  • Internal/private networks
  • Development and testing
  • Deployments behind a separate load balancer or proxy

Data Storage

Location

All persistent data is stored on the EBS volume at /mnt/powerdns-data/:

Directory Contents
postgres/ PostgreSQL database files
pdns/ PowerDNS configuration file
certs/ SSL certificates (if HTTPS enabled)
acme/ Let's Encrypt account data

Backup Strategy

Create backup:

sudo powerdns-cli backup

Download backup:

scp ubuntu@your-server:/tmp/powerdns-backup-*.tar.gz .

Restore from backup:

sudo powerdns-cli restore /path/to/backup.tar.gz

EBS Recommendations

  • Use gp3 volume type for best performance/cost ratio
  • Enable encryption for data at rest
  • Create regular EBS snapshots for disaster recovery
  • Size appropriately: 10-20 GB for most deployments

Troubleshooting

Cannot Create Zone (HTTP 400 Error)

Verify the API connection in Settings > PDNS:

  • API URL must be http://powerdns:8081 (container name, not IP)
  • API Key must match the one from credentials file
  • Version must be 4.1.1

Services Not Starting

powerdns-cli status
powerdns-cli logs
sudo powerdns-cli restart

DNS Not Resolving

# Test DNS server
powerdns-cli dns-test

# Check if port 53 is listening
sudo ss -ulnp | grep 53

# Verify zones exist
powerdns-cli zones

API Connection Failed

# Test API directly
powerdns-cli api-test

# View API key
sudo cat /opt/powerdns/.credentials | grep "API Key"

# Check PowerDNS logs
docker logs powerdns

Security Recommendations

  1. Restrict port 8081 (API) to trusted IPs in your Security Group
  2. Use strong passwords for your admin account (minimum 12 characters)
  3. Enable HTTPS for production deployments
  4. Regular updates: Run sudo powerdns-cli update periodically
  5. Backup regularly: Use EBS snapshots and powerdns-cli backup
  6. Monitor logs: Check for suspicious DNS queries or API access

Configuration Files

File Purpose
/opt/powerdns/docker-compose.yml Container configuration
/mnt/powerdns-data/pdns/pdns.conf PowerDNS server configuration
/opt/powerdns/.credentials Saved API key and database password
/opt/powerdns/config-info.txt Quick reference URLs

Version Information

Component Version
PowerDNS 4.9.x (API version 4.1.1)
PowerDNS-Admin Latest
PostgreSQL 15
Ubuntu 24.04 LTS

Check current versions:

powerdns-cli version
Back to top