DNS Management¶
enconf integrates PowerDNS as an authoritative DNS server. DNS management allows you to create and edit zones and records directly in the panel.
Overview¶
DNS management is divided into two areas:
- Zones — List of all DNS zones
- Records — Detail view of a zone with all DNS entries
DNS Zone Table¶
| Column | Description |
|---|---|
| Zone | DNS zone name (e.g. example.com.) |
| Type | Zone type (Native, Master, Slave) |
| Serial | SOA serial number |
| Customer | Assigned customer |
| Created | Creation date |
Create Zone¶
New DNS zones are automatically created when adding a domain. Manual creation is also possible:
- Click Create Zone
- Fill out the form:
| Field | Required | Description |
|---|---|---|
| Zone Name | Yes | Domain name (e.g. example.com) |
| Customer | Yes (Admin) | Assignment to a customer |
| Type | Yes | Native (default), Master, or Slave |
- Click Create
The system automatically creates the default records:
- SOA — Start of Authority
- NS — Nameserver entries
- A — IPv4 address of the server
- AAAA — IPv6 address (if configured)
- MX — Mail Exchanger (if email is enabled)
Manage Records¶
Click on a zone to open the record detail view.
Supported Record Types¶
| Type | Description | Example |
|---|---|---|
| A | IPv4 address | 93.184.216.34 |
| AAAA | IPv6 address | 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Alias to another hostname | www.example.com > example.com |
| MX | Mail server | 10 mail.example.com |
| TXT | Text record (SPF, DKIM, DMARC) | v=spf1 ip4:93.184.216.34 -all |
| SRV | Service record | _sip._tcp 0 5 5060 sip.example.com |
| NS | Nameserver | ns1.example.com |
| CAA | Certificate Authority Authorization | 0 issue "letsencrypt.org" |
| PTR | Reverse DNS | 34.216.184.93.in-addr.arpa |
| SOA | Start of Authority | Automatically managed |
Add Record¶
- Click Add Record
- Fill out the form:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Hostname (e.g. www, mail, @ for zone root) |
| Type | Yes | Select record type |
| Content | Yes | Record value |
| TTL | Yes | Time to Live in seconds (default: 3600) |
| Priority | MX/SRV only | Priority value |
- Click Add
TTL Recommendations
- Default: 3600 (1 hour)
- Frequently changed: 300 (5 minutes)
- Rarely changed: 86400 (24 hours)
Edit Record¶
- Click the Edit icon next to a record
- Change name, type, content, or TTL
- Click Save
Delete Record¶
- Click the Delete icon
- Confirm the deletion
System-Critical Records
Do not delete SOA or NS records, as this will affect DNS resolution for the entire zone.
Email Security (DNS)¶
The Email Security tab in DNS management provides an overview of email-related DNS records:
SPF (Sender Policy Framework)¶
- Defines which servers are allowed to send emails for the domain
- Created as a TXT record
- Example:
v=spf1 ip4:SERVER_IP mx -all
DKIM (DomainKeys Identified Mail)¶
- Digital signature for outgoing emails
- Automatically created as a TXT record
- Key generation via domain management
DMARC (Domain-based Message Authentication)¶
- Policy for handling failed SPF/DKIM checks
- Created as a TXT record under
_dmarc.domain.com - Example:
v=DMARC1; p=quarantine; rua=mailto:postmaster@domain.com
Maximize Email Deliverability
Always configure all three mechanisms (SPF + DKIM + DMARC) for maximum email deliverability.
DNSSEC¶
DNSSEC (DNS Security Extensions) protects DNS responses from manipulation and spoofing through digital signatures.
Enable DNSSEC¶
- Open a DNS zone
- Navigate to the DNSSEC tab
- Click Enable DNSSEC
The system automatically runs:
- pdnsutil secure-zone <zone> to generate keys
- Generation of KSK (Key Signing Key) and ZSK (Zone Signing Key)
Register DS Records with Your Registrar¶
After activation, the DS records are displayed. You must register these with your domain registrar:
| Field | Description |
|---|---|
| Key Tag | Identification number of the key |
| Algorithm | Cryptographic algorithm (e.g., ECDSA 256) |
| Digest Type | Hash algorithm (SHA-256, SHA-384) |
| Digest | Hash value of the KSK |
DS Records at Registrar
DNSSEC is only fully active once the DS records are registered with the parent nameserver (registrar). Without DS records, DNSSEC will not be validated.
Disable DNSSEC¶
- Open the DNS zone
- Navigate to the DNSSEC tab
- Click Disable DNSSEC
Remove DS Records First
Remove the DS records from your registrar before disabling DNSSEC. Otherwise the domain will become unreachable.
Requirements¶
- PowerDNS must be configured with
gsqlite3-dnssec=yes(SQLite) orgpgsql-dnssec=yes(PostgreSQL) - On new installations this setting is configured automatically
Synchronize Zone¶
Click Synchronize to reconcile the zone data with PowerDNS. This is useful when records have been changed directly in PowerDNS.
Delete Zone¶
- Click the Delete icon in the zone list
- Confirm the deletion
All Records Will Be Deleted
When deleting a zone, all associated DNS records are permanently removed.