The DNS server is implemented using PowerDNS, one of the leading DNS server implemented, which provides strong security and reliability. The chosen backend is a simple SQLite database, providing simplicity and performance for this single server.
It is also possible to use third party DNS mirrors, that will safely and securely replicate your DNS content if needed.
The DNS server implements DNSSEC out of the box. This means that you are protected against cache poisoning, as each records will be digitally signed.
DANE records are created as well, especially for the mail and Jabber related records. DANE means DNS-based Authentication of Named Entities, and will enforce the traffic between your mail server and the other ones to use encryption.
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the which publishes and signs public SSH keys associated with your server. This constitute a better solution than blindly accepting public keys the first time you login on a server using SSH.
CAA records are created as well, to prevent any third party to create records using another cetificate authority than LetsEncrypt.
By default, a “catch-all” record will be created, redirecting all queries to your domains to your server. This let you create wildcard certificates with LetsEncrypt as well, using the DNS challenge.