Table of Contents
PowerDNS comes with several tools that can be used to do various DNS related things.
Available in PowerDNS 2.9.22 and later.
For additional security, operators may prefer to have a 'hidden slave' that sits behind a strong firewall. This slave pulls in zones from the outside world, and stores them in a database. This database is then used by publicly accessible nameservers to publish zone data.
For proper slave operation, master nameservers send out notifications to inform slaves of updates. This is not normally a problem, but when operating with a hidden slave behind a firewall, notification packets can't reach the slave.
For this purpose, the PowerDNS also supplies a notification proxy. It sits outside the firewall, and accepts notifications from remote master servers. It interprets and validates these packets, and then sends on a new notification to the hidden slave.
The hidden slave then promptly retrieves an updated zone from the master.
The notification proxy, called nproxy, can be configured using the following settings:
Change root to this directory for additional security.
Run in the background. Defaults to true, can be turned off using '--daemon=no'.
Public addresses (IPv4 and IPv6) to listen on for incoming notification packets. Defaults to "all addresses", but it is highly recommended to specify addresses here.
Can be used to pin the address the nproxy uses to communicate with the hidden slave. Highly recommended. Corresponds to the PowerDNS setting trusted-notification-proxy.
IP address (IPv4 or IPv6) of the hidden slave, to which notifications should be relayed. This setting is mandatory, and has no default.
Change to these numerical user-id and/or group-id, dropping root privileges, for additional security.