PowerDNS Recursor Documentation PowerDNS.COM BV Sep 30, 2021 CONTENTS 1 Introduction 1 1.1 Notable features...........................................1 1.2 Getting support............................................1 1.2.1 My information is confidential, must I send it to the mailing list, discuss it on IRC, or post it in a GitHub ticket?..................................2 1.2.2 I have a question!......................................2 1.2.3 What details should I supply?................................2 1.2.4 I found a bug!........................................2 1.2.5 I found a security issue!...................................2 1.2.6 I have a good idea for a feature!..............................2 1.3 Third party software.........................................2 1.3.1 Protozero..........................................3 2 Getting Started 5 2.1 Installation..............................................5 2.1.1 Debian-based distributions.................................5 2.1.2 Enterprise Linux......................................5 2.1.3 FreeBSD..........................................5 2.1.4 From Source........................................5 2.2 Configuring the Recursor......................................5 2.3 Using Ansible............................................6 3 Operating PowerDNS Recursor7 3.1 Logging................................................7 3.1.1 Logging to syslog......................................7 3.2 Cache Management.........................................8 3.3 Tracing Queries...........................................8 4 DNSSEC in the PowerDNS Recursor9 4.1 DNSSEC settings...........................................9 4.1.1 off .............................................9 4.1.2 process-no-validate ................................9 4.1.3 process ..........................................9 4.1.4 log-fail .........................................9 4.1.5 validate ......................................... 10 4.1.6 What, when?........................................ 10 4.2 Trust Anchor Management...................................... 10 4.2.1 Trust Anchors........................................ 10 4.2.2 Negative Trust Anchors................................... 11 5 PowerDNS Recursor Settings 13 5.1 aggressive-nsec-cache-size ............................... 13 5.2 allow-from ............................................ 13 5.3 allow-from-file ........................................ 14 5.4 any-to-tcp ............................................ 14 i 5.5 allow-trust-anchor-query ................................. 14 5.6 api-config-dir ......................................... 14 5.7 api-key .............................................. 14 5.8 api-readonly .......................................... 15 5.9 api-logfile ........................................... 15 5.10 auth-can-lower-ttl ...................................... 15 5.11 auth-zones ............................................ 15 5.12 carbon-interval ........................................ 15 5.13 carbon-namespace ....................................... 15 5.14 carbon-ourname ......................................... 16 5.15 carbon-instance ........................................ 16 5.16 carbon-server .......................................... 16 5.17 chroot ............................................... 16 5.18 client-tcp-timeout ...................................... 16 5.19 config-dir ............................................ 16 5.20 config-name ........................................... 17 5.21 cpu-map .............................................. 17 5.22 daemon ............................................... 17 5.23 dont-throttle-names ..................................... 17 5.24 dont-throttle-netmasks .................................. 18 5.25 disable-packetcache ..................................... 18 5.26 disable-syslog ......................................... 18 5.27 distribution-load-factor ................................. 18 5.28 distribution-pipe-buffer-size ............................. 19 5.29 distributor-threads ..................................... 19 5.30 dot-to-auth-names ...................................... 19 5.31 dot-to-port-853 ........................................ 19 5.32 dns64-prefix .......................................... 19 5.33 dnssec ............................................... 20 5.34 dnssec-log-bogus ....................................... 20 5.35 dont-query ............................................ 20 5.36 ecs-add-for ........................................... 20 5.37 ecs-ipv4-bits .......................................... 21 5.38 ecs-ipv4-cache-bits ..................................... 21 5.39 ecs-ipv6-bits .......................................... 21 5.40 ecs-ipv6-cache-bits ..................................... 21 5.41 ecs-ipv4-never-cache .................................... 22 5.42 ecs-ipv6-never-cache .................................... 22 5.43 ecs-minimum-ttl-override ................................. 22 5.44 ecs-cache-limit-ttl ..................................... 22 5.45 ecs-scope-zero-address .................................. 22 5.46 edns-outgoing-bufsize ................................... 23 5.47 edns-padding-from ...................................... 23 5.48 edns-padding-mode ...................................... 23 5.49 edns-padding-tag ....................................... 23 5.50 edns-subnet-whitelist ................................... 24 5.51 edns-subnet-allow-list .................................. 24 5.52 entropy-source ......................................... 24 5.53 etc-hosts-file ......................................... 24 5.54 export-etc-hosts ....................................... 24 5.55 export-etc-hosts-search-suffix ............................ 24 5.56 extended-resolution-errors ............................... 25 5.57 forward-zones .......................................... 25 5.58 forward-zones-file ...................................... 25 5.59 forward-zones-recurse ................................... 26 5.60 gettag-needs-edns-options ................................ 26 5.61 hint-file ............................................. 26 5.62 ignore-unknown-settings .................................. 26 ii 5.63 include-dir ........................................... 26 5.64 latency-statistic-size .................................. 26 5.65 local-address .......................................... 27 5.66 local-port ............................................ 27 5.67 log-timestamp .......................................... 27 5.68 non-local-bind ......................................... 27 5.69 loglevel .............................................. 27 5.70 log-common-errors ...................................... 28 5.71 log-rpz-changes ........................................ 28 5.72 logging-facility ....................................... 28 5.73 lowercase-outgoing ...................................... 28 5.74 lua-config-file ........................................ 28 5.75 lua-dns-script ......................................... 28 5.76 lua-maintenance-interval ................................. 29 5.77 max-cache-bogus-ttl ..................................... 29 5.78 max-cache-entries ...................................... 29 5.79 max-cache-ttl .......................................... 29 5.80 max-concurrent-requests-per-tcp-connection .................. 29 5.81 max-generate-steps ...................................... 30 5.82 max-mthreads .......................................... 30 5.83 max-packetcache-entries .................................. 30 5.84 max-qperq ............................................. 30 5.85 max-ns-address-qperq .................................... 30 5.86 max-negative-ttl ....................................... 31 5.87 max-recursion-depth ..................................... 31 5.88 max-tcp-clients ........................................ 31 5.89 max-tcp-per-client ...................................... 31 5.90 max-tcp-queries-per-connection ............................ 31 5.91 max-total-msec ......................................... 31 5.92 max-udp-queries-per-round ................................ 32 5.93 minimum-ttl-override .................................... 32 5.94 new-domain-tracking ..................................... 32 5.95 new-domain-log ......................................... 32 5.96 new-domain-lookup ...................................... 33 5.97 new-domain-db-size ...................................... 33 5.98 new-domain-history-dir .................................. 33 5.99 new-domain-whitelist .................................... 33 5.100 new-domain-ignore-list .................................. 33 5.101 new-domain-pb-tag ...................................... 34 5.102 network-timeout ........................................ 34 5.103 non-resolving-ns-max-fails ............................... 34 5.104 non-resolving-ns-max-throttle-time ......................... 34 5.105 nothing-below-nxdomain .................................. 34 5.106 nsec3-max-iterations .................................... 35 5.107 packetcache-ttl ........................................ 35 5.108 packetcache-servfail-ttl ................................. 35 5.109 pdns-distributes-queries ................................. 35 5.110 protobuf-use-kernel-timestamp ............................. 36 5.111 proxy-protocol-from ..................................... 36 5.112 proxy-protocol-maximum-size .............................