Please add DNS server in the bundle

[hrstoyanov]

This would make MOX the best email server! Then I can make a DNS server for mail sub-domain moxmail.mydomain.com

[easytarget]

This isn't exactly an easy or simple thing to do 😉, but a DNS server that could have a common config and be directly provisioned for mail settings by mox itself is quite a nice idea.

Since I'm already self hosting mail, self hosting DNS isn't much of an additional step.

[mjl-]

The suggestion of including a DNS server was also raised at the last talk at FOSDEM (https://fosdem.org/2025/schedule/event/fosdem-2025-5364-mox-and-simplifying-mail-server-setup-management/), a part of which was about DNS and plans to automate DNS management. Perhaps having integration for changing DNS records is already enough?

Including a DNS server is quite a bit more software/functionality/complexity to add. I would want to provide DNSSEC too. I do have some experience with that (https://github.com/mjl-/gopherwatch includes a DNS server with online DNSSEC signing!), but it's a lot of work to make it compliant and bug-free.

Also, it feels like a DNS server is one level "lower" in a networking setup. I don't know if it's a good idea to combine DNS and mail/web in general. Though I can see how it can simplify many things. Secondary (and more) servers can be setup with AXFR, so that shouldn't be the hard part.

[hrstoyanov]

@mjl-
If that can be done is a way that the mox built-in DNS server is only for the email subdomain, for the higher level domain we still use our regular cloud providers dns?

You have already made the brilliant decision to bundle in all the flavours of email servers, even an http server.

[mjl-]

If users have a domain my.example, and want to configure mox below sub.my.example, with addresses like [email protected], then it may work. But I suspect most users will want to have their email under my.example, and that needs quite a few DNS records in various places below my.example.

For example, let's say the user email domain is example.com, and the hostname (where mox is installed, and that will handle email for example.com) is mox.example.net.

You'll need dns records for the mx hostname:

• mox.example.net (txt for spf, txt for tlsrpt, tlsa for dane)

And quite a few in different places under the email domain:

• example.com (mx, txt for spf. optional caa)
• *._domainkey.example.com (txt for dkim)
• mta-sts.example.com (cname)
• _mta-sts.example.com (txt)
• _smtp._tls.example.com (txt for tlsrpt)
• mail.example.com (cname, for imap/submission configs)
• autoconfig.example.com (cname)
• _autodiscover._tcp.example.com. (srv)
• *._tcp.example.com (srv for autoconfig)

Some of these are not strictly necessary, but still good to have.

I'm not completely against the idea of having a DNS server in mox at some point in the future. Especially when it signs zones and sends them off to secondaries. Then I'm less afraid of downtime. But it is a lot of work. It would help if there is already code out there that signs zones. I've used github.com/miekg/dns for handling dns requests, but only to parse requests and write responses, not for its handler. I'm not so sure that code is complete/compliant.

Btw, I checked out a few mail providers about 6 weeks ago for how they handle migrations of domains to them. They typically ask you to add DNS records required for email, and take you along step by step, checking if you've done it correctly. Fastmail was interesting in that it asks if you're doing anything else with your domain, like have a website. If you answer "no", it asks you to configure their name servers for your domain, so they'll do all of the DNS serving.

I'm still intrigued by the idea...

[hrstoyanov]

@mjl- thanks for responding!
We are just exploring things here, and MOX is a brilliant idea that has made all the right choices so far. I have been contemplating doing something like MOX for years, good think you are no as lazy as myself!

I recently moved a bunch of domain records and from Square to Clodflare and had to set up a mail provider . Not very happy with manual copy and paste of DNS records, also for MX, nor with the cloud email provider. I ended up with AWS SES lock-in for transactional (outgoing) emails and a different email box provider for normal domain emails. I wish I knew about MOX!

[easytarget]

While adding a authoritive DNS server to mox is quite a leap, it might be far more possible to allow it to provision a locally hosted DNS server. Or generate the config for it.

I'm thinking specifically of unbound, it is a ubuiquitous, well regarded and secure DNS server that can do authoritative DNS record hosting and DNS over TLS. It is also far easier to configure and use than BIND (+co).

So I'm imagining an option where mox directly generates instructions and config fragment(s) that can be imported/included into the main unbound config, and fully provisions the domain.

• It will need a mechanism to allow specifying all the additional custom records for existing subdomains etc..
• It should support dnssec, I'm very unclear on what would be needed for this, I'm guessing generating more keys etc will be needed.
• Currently unbound is also the authoritive DNS server of choice for FreeBSD,, openWRT and Pi-Holes.

Unbound also has unbound-control, a secure remote configuration tool; this could be incorporated into mox to allow automated provisioning. Which could be cool but maybe ties MOX too closely to Unbound. Just outputting config is easier and allows for supporting different DNS servers.

[mjl-]

Provisioning an existing dns server was the plan (and still is). I wouldn't recommend running only a single DNS server for a domain, there are usually multiple records for multiple services/hosts. If the machine is down, everything in the domain stops resolving. Top level domains are typically (always?) required to have at least two name servers.

My plan is to let mox use standard DNS UPDATE and AXFR/NOTIFY for making DNS record changes and staying informed about the current state of the zone. More details at this blog post: https://www.ueber.net/who/mjl/blog/p/dnsclay-dns-update-axfr-notify-to-many-custom-dns-operator-APIs-gateway/. It should work for most DNS server software/providers.

It can still be appealing to include a DNS server, and would make some things easier, but you would have to do a really good job (and then it still may be better as a separate service).