DNS & SSL
Private Nameservers & Authoritative DNS
Private Nameservers & Authoritative DNS
Vanta Panel includes a built-in authoritative DNS server (PowerDNS). That means you can run your own private nameservers — ns1.yourdomain.com and ns2.yourdomain.com, answering DNS directly from your VPS — instead of relying on Cloudflare or another third party. When you host a customer's domain, its DNS zone is created automatically and served from your server.
This guide takes you from zero to working private nameservers.
What you'll need
- Vanta Panel 4.64 or newer (the installer sets up the DNS engine automatically).
- A domain you control to build the nameservers on — e.g.
yourdomain.com, giving youns1.yourdomain.comandns2.yourdomain.com. Use a domain that is yours, not one you host for a customer. - Access to that domain's registrar (to create glue records).
- Port 53 (TCP and UDP) open at your VPS provider's firewall. The installer opens it in the server's own firewall; some providers have an additional edge firewall you must open too.
Step 1 — Set your nameservers and hostname
In vWHM → Server Setup:
- Set the server hostname to a subdomain you control, e.g.
server.yourdomain.com. - Enter your private nameservers:
- Nameserver 1:
ns1.yourdomain.com - Nameserver 2:
ns2.yourdomain.com
- Click Save server setup.
The page then shows you the exact glue records to create — you'll need them in the next step.
Step 2 — Register glue records at your registrar
For the world to find your nameservers, your domain's registrar must publish glue records (also called "host records", "child nameservers", or "register a nameserver"). A glue record ties a nameserver hostname to an IP address.
At your registrar, create:
ns1.yourdomain.com → YOUR.SERVER.IP
ns2.yourdomain.com → YOUR.SERVER.IP
Where to find this varies by registrar — look for Private Nameservers, Register Nameservers, Host Records, or Child Nameservers in your domain's advanced DNS or settings.
This step can only be done at the registrar — no software on the server can create glue for you. DNS won't resolve through your nameservers until the glue exists and propagates (usually minutes to a few hours).
Step 3 — Enable automatic zones
Back in vWHM → Server Setup, under Authoritative DNS:
- Confirm the status shows DNS engine: installed, Service: running, and Port 53: listening.
- Tick "Automatically create a DNS zone for each new hosting account."
- Save.
From now on, every account you create in vWHM gets an authoritative DNS zone built for it — SOA, your ns1/ns2 NS records, A records for the domain and www, and an MX record — all served from your server.
Step 4 — Point a domain and verify
When you (or a customer) create a hosting account for example.com:
- At
example.com's registrar, set its nameservers tons1.yourdomain.comandns2.yourdomain.com. - Once that propagates, the domain resolves through your server.
Verify at any time with dig (or an online DNS checker):
dig @ns1.yourdomain.com example.com A
dig example.com NS
You should see your server's IP for the A record and your ns1/ns2 for the NS records, answered authoritatively (the aa flag in the reply).
How it works
- Vanta Panel runs PowerDNS as an authoritative-only DNS server: it answers for the zones you host and is not an open resolver, so there's no amplification risk in exposing port 53.
- Each hosting account's zone lives in the panel — created when you add the account, updated on changes, and removed when you terminate it.
- You can still use Cloudflare for domains you prefer to manage there; the built-in authoritative DNS and the optional Cloudflare integration coexist.
Troubleshooting
| Symptom | Fix | |---|---| | dig @YOUR.SERVER.IP example.com times out | Port 53 (TCP + UDP) isn't open at your VPS provider's edge firewall. Open it there. | | Nameservers don't resolve globally | Glue records aren't registered (Step 2), or are still propagating. Re-check at the registrar and allow a few hours. | | Server Setup shows "not installed" | You're on a build older than 4.64. Re-run the installer to add the DNS engine: curl -fsSL https://get.vantapanel.com | sudo bash | | A new account's domain doesn't resolve | Confirm the "automatically create a DNS zone" toggle is on, and that the domain's registrar points at your nameservers. |