Chapter 1. The PowerDNS dynamic nameserver

Table of Contents

1. Function & design of PDNS
2. About this document
3. Release notes
3.1. PowerDNS Authoritative Server 3.2
3.2. PowerDNS Authoritative Server 3.1
3.3. Authoritative Server version 2.9.22.6
3.4. Authoritative Server version 2.9.22.5
3.5. PowerDNS Authoritative Server 3.0.1
3.6. PowerDNS Authoritative Server 3.0
3.7. Recursor version 3.3.1
3.8. Recursor version 3.3
3.9. Recursor version 3.2
3.10. Recursor version 3.1.7.2
3.11. Recursor version 3.1.7.1
3.12. Authoritative Server version 2.9.22
3.13. Authoritative Server version 2.9.21.2
3.14. Authoritative Server version 2.9.21.1
3.15. Recursor version 3.1.7
3.16. Recursor version 3.1.6
3.17. Recursor version 3.1.5
3.18. PowerDNS Authoritative Server version 2.9.21
3.19. Recursor version 3.1.4
3.20. Recursor version 3.1.3
3.21. Recursor version 3.1.2
3.22. Recursor version 3.1.1
3.23. Recursor version 3.0.1
3.24. Recursor version 3.0
3.25. Version 2.9.20
3.26. Version 2.9.19
3.27. Version 2.9.18
3.28. Version 2.9.17
3.29. Version 2.9.16
3.30. Version 2.9.15
3.31. Version 2.9.14
3.32. Version 2.9.13
3.33. Version 2.9.12
3.34. Version 2.9.11
3.35. Version 2.9.10
3.36. Version 2.9.8
3.37. Version 2.9.7
3.38. Version 2.9.6
3.39. Version 2.9.5
3.40. Version 2.9.4
3.41. Version 2.9.3a
3.42. Version 2.9.2
3.43. Version 2.9.1
3.44. Version 2.9
3.45. Version 2.8
3.46. Version 2.7 and 2.7.1
3.47. Version 2.6.1
3.48. Version 2.6
3.49. Version 2.5.1
3.50. Version 2.5
3.51. Version 2.4
3.52. Version 2.3
3.53. Version 2.2
3.54. Version 2.1
3.55. Version 2.0.1
3.56. Version 2.0
3.57. Version 2.0 Release Candidate 2
3.58. Version 2.0 Release Candidate 1
3.59. Version 1.99.12 Prerelease
3.60. Version 1.99.11 Prerelease
3.61. Version 1.99.10 Prerelease
3.62. Version 1.99.9 Early Access Prerelease
3.63. Version 1.99.8 Early Access Prerelease
3.64. Version 1.99.7 Early Access Prerelease
3.65. Version 1.99.6 Early Access Prerelease
3.66. Version 1.99.5 Early Access Prerelease
3.67. Version 1.99.4 Early Access Prerelease
3.68. Version 1.99.3 Early Access Prerelease
3.69. Version 1.99.2 Early Access Prerelease
3.70. Version 1.99.1 Early Access Prerelease
4. Security
5. PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
6. PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
7. PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor
8. PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof
9. PowerDNS Security Advisory 2008-02: Some PowerDNS Configurations can be forced to restart remotely
10. PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
11. PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop
13. Acknowledgements

The PowerDNS daemon is a versatile nameserver which supports a large number of backends. These backends can either be plain zone files or be more dynamic in nature. Additionally, through use of clever programming techniques, PowerDNS offers very high domain resolution performance.

Prime examples of backends include relational databases, but also (geographical) load balancing and failover algorithms.

The company is called PowerDNS.COM BV, the nameserver daemon is called PDNS.

1. Function & design of PDNS

PowerDNS consists of two parts: the Authoritative Server and the Recursor. Other nameservers fully combine these functions, PowerDNS offers them separately, but can mix both authoritative and recursive usage seamlessly. The Authoritative Server will answer questions about domains it knows about, but will not go out on the net to resolve queries about other domains. However, it can use a recursing backend to provide that functionality. Depending on your needs, this backend can either be the PowerDNS recursor or an external one.

When the Authoritative Server answers a question, it comes out of the database, and can be trusted as being authoritative. There is no way to pollute the cache or to confuse the daemon.

The Recursor, conversely, by default has no knowledge of domains itself, but will always consult other authoritative servers to answer questions given to it.

PDNS has been designed to serve both the needs of small installations by being easy to setup, as well as for serving very large query volumes on large numbers of domains.

Another prime goal is security. By the use of language features, the PDNS source code is very small (in the order of 10.000 lines) which makes auditing easy. In the same way, library features have been used to mitigate the risks of buffer overflows.

Finally, PDNS is able to give a lot of statistics on its operation which is both helpful in determining the scalability of an installation as well as for spotting problems.