[18.0.5][NEW] PowerDNS Recursor TKL Appliance

## New Appliance: PowerDNS Recursor

A new TurnKey Linux appliance for [PowerDNS Recursor](https://doc.powerdns.com/recursor/) — a high-performance, open-source DNS resolver with caching, forwarding, DNSSEC validation, and DNS64/NAT64 support.

### Use case

Internal DNS resolver for private networks, homelab, datacenter, or cooperative infrastructure. Designed to run as an LXC container on Proxmox (both privileged and unprivileged).

### Features

- **PowerDNS Recursor 4.8** with caching, DNSSEC, and forwarding pre-configured
- **Split-horizon DNS** via auth-zones for internal name resolution
- **DNS64 support** for IPv6-only networks (configurable via Confconsole)
- **Web dashboard** (HTTPS/443) with real-time stats (queries, cache hit rate, latency, uptime)
- **Nginx reverse proxy** for the Recursor API (API key injected automatically, never exposed directly)
- **Confconsole plugin** with options to: regenerate API key, configure allowed networks, set upstream forwarders, enable/disable DNS64, manage auth-zones, toggle IPv6 firewall, reload config, and view stats
- **First-boot security**:
  - Unique API key generated per installation (shown once, never stored on disk)
  - Public IPv6 detection with interactive prompt to restrict access via ip6tables
  - Persistent firewall rules across reboots
- **LXC unprivileged support** via systemd service override (disables sandboxing directives incompatible with unprivileged containers)
- **Zone management helper** (`pdns-zones` CLI tool) for listing, reloading, and testing zones
- **Cron-based zone reload** every 5 minutes (for CI/CD-driven zone updates)

### Technical details

- Based on `turnkey-core` (Debian 12 Bookworm)
- Packages: `pdns-recursor`, `pdns-tools`, `nginx-light`, `dnsutils`, `lua-cjson`
- Default upstream forwarders: Cloudflare (1.1.1.1, 1.0.0.1) + configurable
- Recursor API always behind Nginx/SSL on port 443, port 8082 not exposed
- Tested on Proxmox 8.x, both privileged and unprivileged LXC

### Screenshots

<img width="1278" height="660" alt="Image" src="https://github.com/user-attachments/assets/9ce88be9-109c-48d2-a125-22ba3175b593" />
<img width="1278" height="660" alt="Image" src="https://github.com/user-attachments/assets/68130e0c-b90d-419f-8447-43aeed3f0288" />
<img width="1278" height="660" alt="Image" src="https://github.com/user-attachments/assets/54d893d3-5fb6-40c6-ad7e-6c8610934b51" />
<img width="1294" height="650" alt="Image" src="https://github.com/user-attachments/assets/d258359e-1d71-4a74-b063-c10f27e4d62a" />

### Source

https://git.pop.coop/turnkeylinux/pdns-recursor

---

Built and tested by [@marcos-mendez](https://github.com/marcos-mendez) / [POPSOLUTIONS Cooperative](https://pop.coop)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[18.0.5][NEW] PowerDNS Recursor TKL Appliance #2089

New Appliance: PowerDNS Recursor

Use case

Features

Technical details

Screenshots

Source

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[18.0.5][NEW] PowerDNS Recursor TKL Appliance #2089

Description

New Appliance: PowerDNS Recursor

Use case

Features

Technical details

Screenshots

Source

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions