ODAC DNS

Your server is now
its own nameserver.

A real authoritative DNS server runs inside your ODAC node. Point your domain here once, then every app you deploy, every cert you issue, and every mailbox you create writes its own records. No BIND, no Cloudflare, no Route 53.

DNS Authoritative
yourdomain.com NS ns1.yourdomain.com · set once, at your registrar
Scroll

Zero manual DNS

Records write themselves.
You just deploy.

DNS records are a byproduct of using ODAC, not a chore. The zone maintains itself as you work, and every change bumps the SOA serial atomically so resolvers pick it up cleanly.

  • Deploy an app and its A, AAAA and CNAME records appear on their own.
  • Issue SSL and ACME challenge records are injected, then cleaned up for you.
  • Create a mailbox and MX, SPF, DKIM and DMARC are generated automatically.
yourdomain.com.zone
SOA 2026070101
@SOAns1 admin 2026070101
@NSns1.yourdomain.com.
appA203.0.113.7
appAAAA2606:4700:110::7
wwwCNAMEapp.yourdomain.com.
_acme-challengeTXT"pR9xK2...verify"issuing
@MX10 mail.yourdomain.com.
@TXT"v=spf1 mx ~all"
default._domainkeyTXT"v=DKIM1; k=rsa; p=MIIBI..."
_dmarcTXT"v=DMARC1; p=quarantine"
You never opened a DNS dashboard. The zone kept itself.
Lookup path query app.example.com A
ODAC · indexed O(1) · 1 hop
Typical · linear scan O(n) · many hops
0
queries / sec / core
pre-indexed (name, type)
sync.Pool reuse
minimal allocations

Native Go engine

One hop to the answer. Every time.

The DNS hot path is a dedicated Go binary, not a script. Zones are pre-compiled into in-memory indices, so every lookup, wildcard and name-existence check is O(1). No linear scans, no per-query allocations on the hot path.

Hostile to abuse, by default

Per-IP rate limiting is enforced lock-free with a sync.Map at O(1) per query, and classic amplification floods are refused outright.

per-IP budget 2,500 q/min
ANY flood refused · SOA only

Automatic address detection

It finds its own address.
You never type an IP.

ODAC probes several independent providers for both IPv4 and IPv6, cross-checks them against local interfaces, and classifies every address as public or private, with full RFC 1918, CGNAT and link-local awareness. Placeholder records resolve to the correct live IP at query time.

PTR-aware resolution

On multi-IP servers, ODAC runs reverse lookups and answers each hostname with the IP whose PTR actually matches, which is critical for mail deliverability.

Probing for public IP v4 & v6
icanhazip203.0.113.7
ipify203.0.113.7
AWS checkip203.0.113.7
local iface10.0.0.4 · private
Verified public IP
203.0.113.7 · 2606:4700:110::7

Mail-grade DNS

Mail that actually delivers.

2048-bit DKIM public keys routinely exceed a single 255-byte TXT string, and that is where lesser servers silently truncate the key. ODAC splits it into RFC-compliant character-strings automatically, so DKIM never fails quietly.

default._domainkey auto-split · RFC 7208
"v=DKIM1; k=rsa; p=MIIBIjANBgkqh" "kiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA" "7Xq2vN4pLmR8sT1uWx3yZ0aB5cD6eF9" "gH2iJ4kL6mN8oP0qR2sT4uV6wX8yZ0a" "bC2dE4fG6hI8jK0lM2nO4pQ6rS8tU0v" "IDAQAB"
MX10 mail.yourdomain.com.
SPFv=spf1 mx ~all
DMARCp=quarantine; rua=...
CAA0 issue "letsencrypt.org"
Every zone ships a default Let's Encrypt CAA policy, so automated certs work out of the box, and you can still lock issuance down with your own records.

Reliability

A real nameserver. None of the babysitting.

Zero-downtime reloads

The whole zone database is pointer-swapped atomically under one write lock. During self-updates, SO_REUSEPORT and a readiness handshake confirm the new instance is answering on port 53 before the old one steps down. No resolution gap, ever.

Self-healing

The ODAC watchdog health-checks the DNS process and respawns it if it ever dies, with PID-file race guards preventing duplicates. It tries port 53, negotiates around systemd-resolved, and falls back cleanly if it has to.

Zero dependencies

No BIND, no PowerDNS, no CoreDNS, no external DNS SaaS bill. The whole authoritative server is a single self-managed Go binary. Wildcards and in-zone CNAME chasing are handled so even flaky resolvers still reach your site.

O(1) query lookup Lock-free rate limiting Atomic zone reloads Auto SOA serials EDNS0 · 4096 buffer Dual-stack v4 + v6 RFC 1034 / 1035 / 2308 / 7208 / 8482 Graceful 10s drain

Get early access

Stop managing DNS.
Start shipping.

Join the waitlist and let your server run its own authoritative nameserver, so the records write themselves and you never touch a DNS dashboard again.