# PowerDNS Notes

## v1 Design
- Authoritative server: powerdns/pdns-auth (Docker)
- Backend: sqlite3 in PDNS_DATA_DIR
- API enabled and published to localhost only

## Production Hardening
- Run behind firewall; restrict UDP/TCP 53 to known resolvers or public as needed
- Keep API bound to localhost
- Consider a second NS (ns2) on a separate node/provider for resilience
- Back up PDNS_DATA_DIR using backup-sovereign