← DNS SoftwareDNS Software / Authoritative + Recursor

PowerDNS

A modular DNS platform with separate Authoritative Server and Recursor products — known for its database backends, REST API, and popularity with ISPs and hosting providers.

Overview

Two Products, One Platform

PowerDNS ships as two separate binaries with different purposes. The Authoritative Server (pdns_server) serves authoritative zone data, with a pluggable backend architecture supporting MySQL, PostgreSQL, SQLite, LDAP, and more. The Recursor (pdns_recursor) is a recursive resolver.

PowerDNS's standout feature is its REST API — the Authoritative Server exposes full zone management over HTTP/JSON, making it easy to integrate with provisioning systems, web hosting control panels (cPanel, Plesk), and custom automation. This is why it dominates the ISP and web hosting market.

  • Backend-agnostic: store zones in MySQL, PostgreSQL, SQLite, Bind zone files, or LDAP
  • Full REST API for zone and record management — no SSH required
  • DNSSEC with automatic key management (PKCS#11 HSM support)
  • Lua scripting for custom query/response logic in both products
  • PowerDNS Admin — open-source web UI for zone management
  • NOTIFY and AXFR/IXFR for secondary nameserver support
  • DNS-over-HTTPS and DNS-over-TLS in the Recursor
When to Choose PowerDNS
  • You need programmatic zone management via REST API
  • You are storing DNS zones in a SQL database
  • You are building a hosting panel or provisioning system
  • You need to manage thousands of zones efficiently
1999
First released
API
REST API for all zone ops
Configuration

Key Configuration Examples

Authoritative Server (pdns.conf)

# /etc/powerdns/pdns.conf # Listen local-address=0.0.0.0 local-port=53 # Backend: MySQL launch=gmysql gmysql-host=127.0.0.1 gmysql-dbname=powerdns gmysql-user=pdns gmysql-password=secret # REST API api=yes api-key=changeme-in-production webserver=yes webserver-address=0.0.0.0 webserver-port=8081 webserver-allow-from=127.0.0.1,192.168.0.0/24 # DNSSEC default-ksk-algorithm=ecdsa256

REST API: zone management

# Create a zone via API curl -X POST http://localhost:8081/api/v1/servers/localhost/zones \ -H "X-API-Key: changeme" \ -H "Content-Type: application/json" \ -d '{ "name": "example.com.", "kind": "Native", "nameservers": ["ns1.example.com.", "ns2.example.com."] }' # Add a record curl -X PATCH http://localhost:8081/api/v1/servers/localhost/zones/example.com. \ -H "X-API-Key: changeme" \ -d '{"rrsets":[{"name":"www.example.com.","type":"A","ttl":3600, "changetype":"REPLACE","records":[{"content":"203.0.113.1","disabled":false}]}]}'

Recursor (recursor.conf)

# /etc/powerdns/recursor.conf local-address=0.0.0.0 local-port=53 # Allow only internal clients allow-from=127.0.0.0/8,192.168.0.0/16,10.0.0.0/8 # DNSSEC validation dnssec=validate # Forward internal zone to auth server forward-zones=corp.internal.=10.0.0.1:5300 # Lua scripting for custom logic lua-dns-script=/etc/powerdns/dns-script.lua # DNS-over-TLS for upstream # (via forward-zones-recurse)

pdnsutil commands

# List all zones pdnsutil list-all-zones # Create a zone pdnsutil create-zone example.com # Add a record pdnsutil add-record example.com www A 3600 203.0.113.1 # Enable DNSSEC for a zone pdnsutil secure-zone example.com pdnsutil show-zone example.com # Rectify zone (fix NSEC/NSEC3 chain) pdnsutil rectify-zone example.com # Check zone pdnsutil check-zone example.com

Related Topics

BIND 9

The most widely deployed DNS server — authoritative and recursive in one package.

Knot DNS

High-performance authoritative-only server, a lighter alternative for large zones.

NSD

Minimal authoritative-only server from NLnet Labs — the same team behind Unbound.