Poweradmin

DNS & Service Discovery

A web-based control panel for PowerDNS

Track releases GitHub Website

PHP Latest v4.0.11 · 19d ago Security brief →

Features

Web-based DNS administration for PowerDNS
Supports master, native, and slave zone types
Multi-language UI with light/dark themes
User/role management and authentication (local, LDAP, SAML, OIDC, MFA)
RESTful API documented via OpenAPI

Recent releases

View all 18 releases →

No immediate action

v4.0.11 Bug fix 19d

Ambiguous column error fixed

Open

v4.2.3 Security relevant 24d

Security fixes

Forwarded-IP headers (`X-Forwarded-For`, `X-Real-IP`, `Client-IP`) are now only honored when the peer (`REMOTE_ADDR`) is a private or loopback address, preventing audit‑log spoofing and per‑IP rate‑limit bypass.

Notable features

Group‑owned zones show correct edit/delete controls
PostgreSQL strict typing fixes prevent zone editing/search breakage
Bulk record add handles CSV escaping correctly

Full changelog

✨ Highlights

Patch release for the stable 4.2.x line. Focus is hardened proxy header handling, group-owned zone visibility, and PostgreSQL compatibility fixes.

🐛 Fixes

Forwarded-IP headers (X-Forwarded-For, X-Real-IP, Client-IP) are now only honored when the peer (REMOTE_ADDR) is a private or loopback address. Direct-internet deployments stop trusting client-supplied headers, preventing audit-log spoofing and per-IP rate-limit bypass. Same hardening cherry-picked to 4.3.x, master, and develop.
Group-owned zones show the correct edit/delete controls in zone search and zone lists (#1200, #1194).
PostgreSQL strict typing on record_comment_links no longer breaks zone editing or record search (#1192). Both sides of the join are now cast so it works regardless of whether the linking column is INTEGER or VARCHAR.
Bulk record add correctly handles CSV escaping (#1199).
CNAME validation accepts numeric-string record IDs from the GUI (#1202).
API record edits honor the zone_content_edit_own_as_client permission (#1203).
Users API keeps auth_method in sync when use_ldap is toggled (#1195).
Zone templates: sync uses zones.id instead of domain_id (#1210); consecutive spaces are preserved in template content listings (#1212).
404 page now fits the viewport without scrolling.
Bulk registration template links to group/user management (refs #1201).

📦 Upgrading

Drop-in replacement for v4.2.2. PHP 8.2+ required (unchanged).

Full changelog: https://github.com/poweradmin/poweradmin/compare/v4.2.2...v4.2.3

View release on GitHub

v4.3.1 Bug fix 1mo

Minor fixes and improvements.

Full changelog

🐛 Bug Fixes

⚙️ config:

surface clear error when settings.defaults.php is missing (closes #1158) (927fcd1)

📥 installer:

correct MySQL backfill query in 4.3.0 upgrade script (closes #1159) (7a8122b)

View release on GitHub

v4.3.0 Breaking risk 1mo

Breaking changes

API v1 deprecated with Sunset date announced via header

Notable features

API backend mode without direct database access
Zone metadata editor for domainmetadata
Audit logging across user, zone, DNSSEC, auth operations

Full changelog

Native API-only deployments, a domainmetadata editor, log filtering and exports, hardened auth, and plenty more.

✨ Highlights

API backend mode - run Poweradmin without direct PowerDNS database access (#658)
Zone metadata editor for PowerDNS domainmetadata (#1117)
Audit logging across user, zone, template, DNSSEC, auth, MFA, and API operations
Log pages - filters, CSV/JSON export, detail modals, client IP and auth method visible everywhere
SSO permission template mapping with env vars and stale mapping revocation
API v1 deprecated with Sunset date announced via header and OpenAPI (#1146)

🐳 Docker

PA_PDNS_BACKEND selects SQL or API mode
PA_TRUSTED_CA_FILE mounts custom CA certificates (#1065)
PA_TRUSTED_PROXIES for real client IP behind reverse proxies (#1134)
Env var support for module configuration (#1084)
dns_wizards and email_previews togglable via env vars (#1116)
Rootless container mode; port 80 binding restored in root mode (#1118)

🌍 DNS & content

Custom TLD-to-server mapping for WHOIS and RDAP, with .za added (#1138)
IDN/punycode support for record names and content, incl. HTTPS, SVCB, and LP (#1090)
IPv6 batch PTR with correct nibble expansion (#1110)
Selective zone template update instead of full replace

🛡️ Security hardening

md5 and md5salt hashing removed for new passwords (existing hashes still validate)
Default bcrypt cost bumped to 12
CSRF validation required for API key toggle
IpAddressRetriever hardened - X-Real-IP support, proxy headers matching REMOTE_ADDR skipped, parsing bugs fixed (#1134)
Mail MIME boundary uses random_bytes instead of md5

🔧 Other

Dashboard zone, record, and user count stats for admins
Globe language switcher on the login page
disabled field respected in bulk record CSV import
Preserve auth_method on OIDC/SAML user edits (#1064)

Full changelog: https://github.com/poweradmin/poweradmin/compare/v4.2.1...v4.3.0

View release on GitHub

v4.2.2 Bug fix 1mo

Notable features

TRUSTED_PROXIES env var for reverse proxies
X-Real-IP support
Group-owned zone listing

Full changelog

✨ Highlights

Patch release for the stable 4.2.x line. Focus is real client IP handling behind reverse proxies, group-owned zone visibility, and small UI fixes.

🐛 Fixes

Real client IP behind reverse proxies (#1134) - new TRUSTED_PROXIES env var, X-Real-IP support, correct handling of proxy headers, and consistent use across auth and logging. Several IP parsing bugs fixed along the way.
Zones owned only via a group are listed correctly in the API (#1153) and counted without duplication in dashboard stats (refs #1112).
API Keys submenu is now shown to users with the api_manage_keys permission (#1154).
.za WHOIS server entry added for South African domains (#1138).
Suppressed misleading "User unknown" log noise on unauthenticated requests.