PowerDNS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie: DNS]]
[[Category: DNS]]


=PowerDNS Server (pdns_server)=
=PowerDNS Server (pdns_server)=
==Newer version in Ubuntu==
If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:
===/etc/apt/apt.conf.d/01pinning===
<syntaxhighlight lang=apt>
APT::Default-Release "xenial";
</syntaxhighlight>
===/etc/apt/preferences.d/pdns===
<syntaxhighlight lang=apt>
Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000
Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000
Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000
</syntaxhighlight>
===/etc/apt/sources.list===
add zesty sources. for example:
<syntaxhighlight>
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe
</syntaxhighlight>
===Do the upgrade===
<syntaxhighlight lang=bash>
# apt update
# apt install pdns-recursor/zesty pdns-tools/zesty libstdc++6/zesty gcc-6-base/zesty
</syntaxhighlight>


==Logging with systemd and syslog-ng==
==Logging with systemd and syslog-ng==


1. Tell the journald of systemd to forward messages to syslog:
I had problems with multiply the log lines over syslog and polluting the disks with redundant log entries.<br>
In <i>/etc/systemd/journald.conf</i> set it from
So I found a way to bind the daemon output to a dedicated systemd <i>namespace</i> and catch them later in syslog-ng.
<source lang=bash>
<syntaxhighlight lang=bash>
#ForwardToSyslog=yes
$ sudo systemctl edit pdns-recursor.service
</source>
</syntaxhighlight>
to
<syntaxhighlight lang=Ini>
<source lang=bash>
[Service]
ForwardToSyslog=yes
ExecStart=
</source>
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no
LogNamespace=pdns-recursor
</syntaxhighlight>
 
/etc/powerdns/recursor.d/syslog.conf
<syntaxhighlight lang=bash>
log-timestamp=no
quiet=no
disable-syslog=no
</syntaxhighlight>


Then restart the journald
<source lang=bash>
# systemctl restart systemd-journald.service
</source>


2. Tell syslog-ng to take the dev-log-socket from journald as input:
<syntaxhighlight lang=bash>
$ sudo systemctl restart pdns-recursor.service
</syntaxhighlight>
after that you will find the output of the daemon with:
<syntaxhighlight lang=bash>
$ sudo journalctl -lf --namespace=pdns-recursor
</syntaxhighlight>


Change the part in <i>/etc/syslog-ng/syslog-ng.conf</i> from
Change the part in <i>/etc/syslog-ng/syslog-ng.conf</i> from
<source lang=bash>
<syntaxhighlight lang=bash>
source s_src {
source s_src {
       system();
       system();
       internal();
       internal();
};
};
</source>
</syntaxhighlight>
to
to
<source lang=bash>
<syntaxhighlight lang=bash>
source s_journal_pdns_recursor
{
  systemd-journal(namespace("pdns-recursor"));
};
 
source s_journal_pdns
{
  systemd-journal(namespace("pdns"));
};
 
source s_src {
source s_src {
       system();
       # Because system() catches systemd-journal() you will have to comment it out or you will get this error:
      #  The configuration must not contain more than one systemd-journal() source;
      #system();
       internal();
       internal();
      unix-dgram ("/run/systemd/journal/dev-log");
};
};
</source>
</syntaxhighlight>
 
Then you can take this dedicated source to put it in your favorite destinations like this:
<syntaxhighlight lang=bash>
destination d_graylog {
  network(
    "172.16.1.210"
    port("514")
    transport(udp)
  );
};
log {
  source(s_journal_pdns_recursor);
  destination(d_graylog);
  flags(final);
};
</syntaxhighlight>
 
<syntaxhighlight lang=bash>
$ sudo systemctl restart syslog-ng.service
</syntaxhighlight>
:wq


==chroot with systemd==
==chroot with systemd==




Create the chroot-base. I would prefer to setup a zfs dataset for it, but you can also do:
<syntaxhighlight lang=bash>
# mkdir -p /var/chroot
</syntaxhighlight>
What we need to run pdns{,-recursor} in chroot is this:
<syntaxhighlight lang=bash>
/var/chroot/run/systemd/notify      <-- bind mount from /run/systemd/notify (socket)
/var/chroot/run/pdns-recursor        <-- bind mount from /run/pdns (dir)
/var/chroot/run/pdns                <-- bind mount from /run/pdns (dir)
/var/chroot/usr/share/dns/root.hints <-- bind mount from /usr/share/dns (dir with root.hints file)
</syntaxhighlight>
For that we have to create some systemd.mount files:
<syntaxhighlight lang=bash>
# systemctl list-units --all --type=mount,service var-chroot-* pdns*
  UNIT                                  LOAD  ACTIVE SUB    DESCRIPTION                               
  var-chroot-run-pdns.mount            loaded active mounted Mount /run/pdns to chroot
  var-chroot-run-pdns\x2drecursor.mount loaded active mounted Mount /run/pdns-recursor to chroot
  var-chroot-run-systemd-notify.mount  loaded active mounted Mount /run/systemd/notify to chroot
  var-chroot-run.mount                  loaded active mounted Temporary Directory /var/chroot/run
  var-chroot-tmp.mount                  loaded active mounted Temporary Directory /var/chroot/tmp
  var-chroot-usr-share-dns.mount        loaded active mounted Mount /usr/share/dns (root.hints) to chroot
  pdns-recursor.service                loaded active running PowerDNS Recursor
  pdns.service                          loaded active running PowerDNS Authoritative Server
  var-chroot-create-dirs.service        loaded active exited  Create directories under /var/chroot
LOAD  = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
9 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.
</syntaxhighlight>
and a service to create the needed /var/chroot/run/systemd/notify file to bind mount the socket from systemd to it.
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run.mount
[Unit]
Description=Temporary Directory /var/chroot/run
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/run
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
[Mount]
What=tmpfs
Where=/var/chroot/run
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m
[Install]
WantedBy=local-fs.target
</syntaxhighlight>
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-tmp.mount
[Unit]
Description=Temporary Directory /var/chroot/tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target


<source lang=bash>
[Mount]
# mkdir -p /var/chroot/run/systemd
What=tmpfs
# touch /var/chroot/run/systemd/notify
Where=/var/chroot/tmp
</source>
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m


[Install]
WantedBy=local-fs.target
</syntaxhighlight>


<source lang=ini>
<syntaxhighlight lang=ini>
# /lib/systemd/system/var-chroot-run-systemd-notify.mount
# /etc/systemd/system/var-chroot-create-dirs.service
[Unit]
[Unit]
Description=Create directories under /var/chroot
ConditionPathExists=/var/chroot/run
After=var-chroot-run.mount
[Service]
Type=oneshot
RemainAfterExit=yes
RuntimeDirectory=pdns pdns-recursor
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=True
User=pdns
Group=pdns
ExecStart=-mkdir    /var/chroot/run/systemd
ExecStart=-touch    /var/chroot/run/systemd/notify
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-pdns.mount
[Unit]
Description=Mount /run/pdns to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=zfs-mount.service
Requires=var-chroot.mount
After=var-chroot-create-dirs.service
After=pdns.service
 
[Mount]
What=/run/pdns
Where=/var/chroot/run/pdns
Type=none
Options=bind
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-pdns\x2drecursor.mount
[Unit]
Description=Mount /run/pdns-recursor to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns-recursor
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service
 
[Mount]
What=/run/pdns-recursor
Where=/var/chroot/run/pdns-recursor
Type=none
Options=bind
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
ConditionPathExists=/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service


[Mount]
[Mount]
Line 58: Line 282:
Where=/var/chroot/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Type=none
Options=bind
Options=rbind
</source>
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>


<source lang=ini>
<syntaxhighlight lang=ini>
# /lib/systemd/system/pdns.service
# /etc/systemd/system/var-chroot-usr-share-dns.mount
[Unit]
[Unit]
Description=PowerDNS Authoritative Server
Description=Mount /usr/share/dns (root.hints) to chroot
Documentation=man:pdns_server(1) man:pdns_control(1)
DefaultDependencies=no
Documentation=https://doc.powerdns.com
ConditionPathExists=/var/chroot/usr/share/dns
Wants=network-online.target
ConditionCapability=CAP_SYS_ADMIN
After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service
After=zfs-mount.service
After=var-chroot-run-systemd-notify.mount
After=var-chroot-create-dirs.service
Before=pdns-recursor.service


[Service]
[Mount]
Type=notify
What=/usr/share/dns
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --write-pid=no
Where=/var/chroot/usr/share/dns
Restart=on-failure
Type=none
RestartSec=1
Options=rbind,ro
StartLimitInterval=0
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
NoNewPrivileges=true
# ProtectSystem=full will disallow write access to /etc and /usr, possibly
# not being able to write slaved-zones into sqlite3 or zonefiles.
ProtectSystem=full
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6


[Install]
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
</source>
</syntaxhighlight>
 
Now we are ready for modifying pdns.service and pdns-recursor.service like this:
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/pdns.service.d/override.conf
[Service]
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
SystemCallFilter=@mount


<source lang=ini>
# /lib/systemd/system/pdns-recursor.service
[Unit]
[Unit]
Description=PowerDNS Recursor
Wants=local-fs.target
Documentation=man:pdns_recursor(1) man:rec_control(1)
</syntaxhighlight>
Documentation=https://doc.powerdns.com
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
After=network-online.target
After=var-chroot-run-systemd-notify.mount


<syntaxhighlight lang=ini>
# /etc/systemd/system/pdns-recursor.service.d/override.conf
[Service]
[Service]
Type=notify
Type=simple
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog
RuntimeDirectoryPreserve=True
Restart=on-failure
ExecStart=
StartLimitInterval=0
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
PrivateTmp=true
# Add the possibility to change user id and group id and to chroot
PrivateDevices=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
NoNewPrivileges=true
SystemCallFilter=@mount
ProtectSystem=full
 
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LimitNOFILE=4200


[Install]
[Unit]
WantedBy=multi-user.target
Wants=local-fs.target
</source>
</syntaxhighlight>

Latest revision as of 07:02, 22 June 2023


PowerDNS Server (pdns_server)

Newer version in Ubuntu

If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:

/etc/apt/apt.conf.d/01pinning

APT::Default-Release "xenial";

/etc/apt/preferences.d/pdns

Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000

/etc/apt/sources.list

add zesty sources. for example:

deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty           main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates   main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe

Do the upgrade

# apt update
# apt install pdns-recursor/zesty pdns-tools/zesty libstdc++6/zesty gcc-6-base/zesty

Logging with systemd and syslog-ng

I had problems with multiply the log lines over syslog and polluting the disks with redundant log entries.
So I found a way to bind the daemon output to a dedicated systemd namespace and catch them later in syslog-ng.

$ sudo systemctl edit pdns-recursor.service
[Service]
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no
LogNamespace=pdns-recursor

/etc/powerdns/recursor.d/syslog.conf

log-timestamp=no
quiet=no
disable-syslog=no


$ sudo systemctl restart pdns-recursor.service

after that you will find the output of the daemon with:

$ sudo journalctl -lf --namespace=pdns-recursor

Change the part in /etc/syslog-ng/syslog-ng.conf from

source s_src {
       system();
       internal();
};

to

source s_journal_pdns_recursor
{
  systemd-journal(namespace("pdns-recursor"));
};

source s_journal_pdns
{
  systemd-journal(namespace("pdns"));
};

source s_src {
       # Because system() catches systemd-journal() you will have to comment it out or you will get this error:
       #  The configuration must not contain more than one systemd-journal() source;
       #system();
       internal();
};

Then you can take this dedicated source to put it in your favorite destinations like this:

destination d_graylog {
  network(
    "172.16.1.210"
    port("514")
    transport(udp)
  );
};
log {
  source(s_journal_pdns_recursor);
  destination(d_graylog);
  flags(final);
};
$ sudo systemctl restart syslog-ng.service
wq

chroot with systemd

Create the chroot-base. I would prefer to setup a zfs dataset for it, but you can also do:

# mkdir -p /var/chroot

What we need to run pdns{,-recursor} in chroot is this:

/var/chroot/run/systemd/notify       <-- bind mount from /run/systemd/notify (socket)
/var/chroot/run/pdns-recursor        <-- bind mount from /run/pdns (dir)
/var/chroot/run/pdns                 <-- bind mount from /run/pdns (dir)
/var/chroot/usr/share/dns/root.hints <-- bind mount from /usr/share/dns (dir with root.hints file)

For that we have to create some systemd.mount files:

# systemctl list-units --all --type=mount,service var-chroot-* pdns*
  UNIT                                  LOAD   ACTIVE SUB     DESCRIPTION                                
  var-chroot-run-pdns.mount             loaded active mounted Mount /run/pdns to chroot
  var-chroot-run-pdns\x2drecursor.mount loaded active mounted Mount /run/pdns-recursor to chroot
  var-chroot-run-systemd-notify.mount   loaded active mounted Mount /run/systemd/notify to chroot
  var-chroot-run.mount                  loaded active mounted Temporary Directory /var/chroot/run
  var-chroot-tmp.mount                  loaded active mounted Temporary Directory /var/chroot/tmp
  var-chroot-usr-share-dns.mount        loaded active mounted Mount /usr/share/dns (root.hints) to chroot
  pdns-recursor.service                 loaded active running PowerDNS Recursor
  pdns.service                          loaded active running PowerDNS Authoritative Server
  var-chroot-create-dirs.service        loaded active exited  Create directories under /var/chroot

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
9 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.

and a service to create the needed /var/chroot/run/systemd/notify file to bind mount the socket from systemd to it.

# /etc/systemd/system/var-chroot-run.mount
[Unit]
Description=Temporary Directory /var/chroot/run
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/run
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/run
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target
# /etc/systemd/system/var-chroot-tmp.mount
[Unit]
Description=Temporary Directory /var/chroot/tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target
# /etc/systemd/system/var-chroot-create-dirs.service
[Unit]
Description=Create directories under /var/chroot
ConditionPathExists=/var/chroot/run
After=var-chroot-run.mount

[Service]
Type=oneshot
RemainAfterExit=yes

RuntimeDirectory=pdns pdns-recursor
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=True
User=pdns
Group=pdns

ExecStart=-mkdir    /var/chroot/run/systemd
ExecStart=-touch    /var/chroot/run/systemd/notify
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-run-pdns.mount
[Unit]
Description=Mount /run/pdns to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
After=pdns.service

[Mount]
What=/run/pdns
Where=/var/chroot/run/pdns
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-run-pdns\x2drecursor.mount
[Unit]
Description=Mount /run/pdns-recursor to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns-recursor
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/run/pdns-recursor
Where=/var/chroot/run/pdns-recursor
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
ConditionPathExists=/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Options=rbind

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-usr-share-dns.mount
[Unit]
Description=Mount /usr/share/dns (root.hints) to chroot
DefaultDependencies=no
ConditionPathExists=/var/chroot/usr/share/dns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/usr/share/dns
Where=/var/chroot/usr/share/dns
Type=none
Options=rbind,ro

[Install]
WantedBy=multi-user.target

Now we are ready for modifying pdns.service and pdns-recursor.service like this:

# /etc/systemd/system/pdns.service.d/override.conf
[Service]
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
SystemCallFilter=@mount

[Unit]
Wants=local-fs.target
# /etc/systemd/system/pdns-recursor.service.d/override.conf
[Service]
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
# Add the possibility to change user id and group id and to chroot
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
SystemCallFilter=@mount


[Unit]
Wants=local-fs.target