DNS & SSL

Private Nameservers & Authoritative DNS

Private Nameservers & Authoritative DNS

Vanta Panel includes a built-in authoritative DNS server (PowerDNS). That means you can run your own private nameserversns1.yourdomain.com and ns2.yourdomain.com, answering DNS directly from your VPS — instead of relying on Cloudflare or another third party. When you host a customer's domain, its DNS zone is created automatically and served from your server.

This guide takes you from zero to working private nameservers.

What you'll need

  • Vanta Panel 4.64 or newer (the installer sets up the DNS engine automatically).
  • A domain you control to build the nameservers on — e.g. yourdomain.com, giving you ns1.yourdomain.com and ns2.yourdomain.com. Use a domain that is yours, not one you host for a customer.
  • Access to that domain's registrar (to create glue records).
  • Port 53 (TCP and UDP) open at your VPS provider's firewall. The installer opens it in the server's own firewall; some providers have an additional edge firewall you must open too.

Step 1 — Set your nameservers and hostname

In vWHM → Server Setup:

  1. Set the server hostname to a subdomain you control, e.g. server.yourdomain.com.
  2. Enter your private nameservers:
  • Nameserver 1: ns1.yourdomain.com
  • Nameserver 2: ns2.yourdomain.com
  1. Click Save server setup.

The page then shows you the exact glue records to create — you'll need them in the next step.

Step 2 — Register glue records at your registrar

For the world to find your nameservers, your domain's registrar must publish glue records (also called "host records", "child nameservers", or "register a nameserver"). A glue record ties a nameserver hostname to an IP address.

At your registrar, create:

ns1.yourdomain.com  →  YOUR.SERVER.IP
ns2.yourdomain.com  →  YOUR.SERVER.IP

Where to find this varies by registrar — look for Private Nameservers, Register Nameservers, Host Records, or Child Nameservers in your domain's advanced DNS or settings.

This step can only be done at the registrar — no software on the server can create glue for you. DNS won't resolve through your nameservers until the glue exists and propagates (usually minutes to a few hours).

Step 3 — Enable automatic zones

Back in vWHM → Server Setup, under Authoritative DNS:

  • Confirm the status shows DNS engine: installed, Service: running, and Port 53: listening.
  • Tick "Automatically create a DNS zone for each new hosting account."
  • Save.

From now on, every account you create in vWHM gets an authoritative DNS zone built for it — SOA, your ns1/ns2 NS records, A records for the domain and www, and an MX record — all served from your server.

Step 4 — Point a domain and verify

When you (or a customer) create a hosting account for example.com:

  1. At example.com's registrar, set its nameservers to ns1.yourdomain.com and ns2.yourdomain.com.
  2. Once that propagates, the domain resolves through your server.

Verify at any time with dig (or an online DNS checker):

dig @ns1.yourdomain.com example.com A
dig example.com NS

You should see your server's IP for the A record and your ns1/ns2 for the NS records, answered authoritatively (the aa flag in the reply).

How it works

  • Vanta Panel runs PowerDNS as an authoritative-only DNS server: it answers for the zones you host and is not an open resolver, so there's no amplification risk in exposing port 53.
  • Each hosting account's zone lives in the panel — created when you add the account, updated on changes, and removed when you terminate it.
  • You can still use Cloudflare for domains you prefer to manage there; the built-in authoritative DNS and the optional Cloudflare integration coexist.

Troubleshooting

| Symptom | Fix | |---|---| | dig @YOUR.SERVER.IP example.com times out | Port 53 (TCP + UDP) isn't open at your VPS provider's edge firewall. Open it there. | | Nameservers don't resolve globally | Glue records aren't registered (Step 2), or are still propagating. Re-check at the registrar and allow a few hours. | | Server Setup shows "not installed" | You're on a build older than 4.64. Re-run the installer to add the DNS engine: curl -fsSL https://get.vantapanel.com | sudo bash | | A new account's domain doesn't resolve | Confirm the "automatically create a DNS zone" toggle is on, and that the domain's registrar points at your nameservers. |

Last updated Jul 5, 2026 · Need help?