diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix
new file mode 100644
index 0000000..270ce81
--- /dev/null
+++ b/hosts/powerdns/default.nix
@@ -0,0 +1,35 @@
+{ ... }:
+
+{
+  imports = [
+    ../common.nix
+    ../../services/openssh.nix
+    ../../services/powerdns.nix
+  ];
+
+  networking = {
+    hostName = "powerdns";
+    firewall = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
+  };
+
+  services = {
+    openssh.banner = ''
+                                       __                             __
+                                      /\ \__                         /\ \
+        ___     ____      ___     ____\ \ ,_\       ___    ___    ___\ \ \____
+      /' _ `\  /',__\    / __`\  /',__\\ \ \/      /'___\ /'___\ /'___\ \ '__`\
+      /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_  __/\ \__//\ \__//\ \__/\ \ \L\ \
+      \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/
+       \/_/\/_/\/___/\/_/\/___/  \/___/   \/__/\/_/\/____/\/____/\/____/ \/___/
+    '';
+  };
+
+  system.stateVersion = "25.11";
+}
diff --git a/services/powerdns.nix b/services/powerdns.nix
new file mode 100644
index 0000000..209a978
--- /dev/null
+++ b/services/powerdns.nix
@@ -0,0 +1,72 @@
+{ config, ... }:
+
+{
+  # exposes prometheus metrics at http://127.0.0.1:8081/metrics
+  services = {
+    powerdns = {
+      enable = true;
+      secretFile = config.age.secrets.powerdns.path;
+      # API_KEY=supersecret123!
+      # WEBSERVER_PASSWORD=supersecre123!
+      extraConfig = ''
+        api=yes
+        api-key=$API_KEY
+        local-address=0.0.0.0, ::
+        local-port=53
+        log-timestamp=no  # journald already does this
+        resolver=127.0.0.54:5300  # Used for ALIAS lookup
+        secondary=yes
+        version-string=anonymous
+        webserver-password=$WEBSERVER_PASSWORD
+        webserver-port=8081
+
+        launch=bind
+      '';
+    };
+    powerdns-admin = {
+      enable = true;
+      secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
+      saltFile = config.age.secrets.powerdns-admin-salt.path;
+      extraArgs = [];
+      config = ''
+        # PDA
+        SIGNUP_ENABLED = True
+        LOCAL_DB_ENABLED = True
+
+        # Flask
+        BIND_ADDRESS = '127.0.0.1'
+        PORT = 8000
+        #SESSION_COOKIE_SECURE = True
+
+        # Flask-Session
+        import cachelib
+        SESSION_TYPE = 'cachelib'
+        SESSION_CACHELIB = cachelib.simple.SimpleCache()
+
+        # Flask-SQLAlchemy
+        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
+        SQLALCHEMY_TRACK_MODIFICATIONS = True
+
+        # FLask-SeaSurf
+        #CSRF_COOKIE_SECURE = True
+      '';
+    };
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_18;
+      ensureUsers = [
+        {
+          name = "pda";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [ "pda" ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      compression = "zstd";
+      startAt = "@midnight";
+    };
+  };
+}
+