PUQ Mautic Skip to main content

DNS Manager — Zones

PUQcloud Panel

Order Now | Download | FAQ

1) What a Zone is and how it works

A DNS Zone is the set of DNS records for a domain (e.g., example.com) or a reverse domain (in-addr.arpa, ip6.arpa).
In PUQcloud, every zone is assigned to exactly one Server Group, and that group has one or more real DNS servers attached. As a result:

  • When you create or change records in Zones, PUQcloud writes those changes to all servers in the selected group.

  • Zone-level meta (e.g., Primary NS, NS Domains, SOA fields) is stored with the zone and deployed to the group’s servers.

Path: Settings → DNS Manager → Zones

DNS Zones — list (columns: Name, Record Count, Server Group, Primary NS, Admin Email, Actions)

2) The Zones list & actions

The list shows all zones, how many records each has, which Server Group it belongs to, the Primary NS (SOA MNAME), and the Admin Email (SOA RNAME).

Per-row actions:

  • Edit — open the zone editor

  • Delete — remove the zone

Top-right: + Create to add a new zone.

3) Create a zone

Click + Create and fill the form.

Create DNS Zone (Name, DNS Server Group, SOA Admin Email, SOA TTL, Refresh, Retry, Expire, Minimum TTL)

Field reference
Field Description Tip
Name Zone name. For forward zones use example.com. For reverse: IPv4 uses x.y.z.in-addr.arpa, IPv6 uses the …ip6.arpa nibble format. Use correct reverse notation.
DNS Server Group Which group of servers will host this zone Choose the group you prepared (e.g., PowerDNS ns1-2 or PowerDNS (devns) for the ACME tech zone).
SOA Admin Email Email in SOA (RNAME, with a dot instead of @) Commonly [email protected].
SOA TTL (seconds) TTL for the SOA record 3600 is a safe default.
SOA Refresh Slave refresh interval 86400 (24h) typical.
SOA Retry Retry interval if refresh fails 7200 (2h).
SOA Expire When slaves consider zone expired 1209600 (14 days).
SOA Minimum TTL Negative caching (minimum TTL) 3600.

Click Save to create the zone.

4) Edit a zone

Opening a zone leads to Edit DNS Zone.

Edit DNS Zone (Name, DNS Server Group, Primary NS, NS Domains, SOA fields; buttons Create Record / Reload Zone / Move To / Export / Import / Save)

What you see

  • Name — zone name (read-only for some reverse templates).

  • DNS Server Group — which group serves this zone.

  • Primary NS — SOA MNAME (main NS).

  • NS Domains — authoritative nameserver hostnames shown as badges. These should match your actual registrar delegation.

  • SOA fields — TTL, Refresh, Retry, Expire, Minimum TTL.

  • Records table — the list of all records in this zone.

Top actions

  • + Create Record — add A/AAAA/CNAME/TXT/MX/SRV/NS/PTR etc.

  • Reload Zone — force-sync this zone across all servers in the group.

  • Move To — move the zone to another Server Group (useful for migrations).

  • Export / Import — export to/import from a standard zone format (PowerDNS/BIND-compatible).

  • Save — save changes to the zone properties (record edits have their own save flow in the record modal).

5) Add records

Click + Create Record.

Create DNS Record (Type, TTL, Name; show PTR target field example)

Common record types

  • A / AAAA — IPv4/IPv6 address mappings (e.g., www → 203.0.113.10).

  • CNAME — alias (e.g., www → @ or example.com).

  • TXT — free-form text (SPF, DKIM, ACME challenges).

  • MX — mail exchangers with priority.

  • SRV — service records (VoIP, LDAP, etc.).

  • NS — delegate sub-zones to other nameservers.

  • PTR — reverse mapping (IP to hostname) for reverse zones.

Examples (forward)

  • @ → A → 203.0.113.10

  • www → CNAME → @

Example (mail)

  • @ → MX (10) → mx1.example.com.

  • @ → TXT → v=spf1 include:spf.example.net -all

Reverse example (PTR)

In 0.168.192.in-addr.arpa:

  • 130 → PTR → host130.example.com.

6) ACME / SSL with a technical zone

For DNS-01 challenges, SSL Manager commonly uses a technical zone (e.g., acme.yourdomain.tld) hosted by a dedicated Server Group (e.g., PowerDNS (devns)). The workflow:

  1. In the target zone (the zone for which you want a cert), create a CNAME:
    _acme-challenge.yourdomain.tld → _acme-challenge.yourdomain.tld.acme.yourdomain.tld.

  2. During issuance, SSL Manager automatically creates/updates the TXT in the tech zone (via PowerDNS/Hestia modules).

  3. The CA queries _acme-challenge on the target zone, follows the CNAME into the tech zone, and reads the TXT.

  4. Once validated, the certificate becomes ACTIVE (see SSL Certificates guide).

Ensure the tech group’s NS Domains are really authoritative and are properly delegated at the registrar.

7) Export / Import

  • Export — download the zone in a PowerDNS/BIND-compatible format (great for backups and migrations).

  • Import — upload a zone file to quickly populate records. After import, verify records and click Reload Zone.

8) Best practices

  • Use TTL 300–600s while actively changing/migrating; raise later for stability.

  • Keep ≥2 NS in the serving group (prefer distinct regions/ASNs).

  • For ACME, keep a separate tech zone and separate group.

  • Always Export before bulk edits.

  • After changing a zone’s Server Group, use Move To and then Reload Zone.

  • Regularly verify delegation (dig NS yourdomain.tld) and key records resolution from multiple locations.

9) Troubleshooting

Symptom Likely cause Fix
Public resolvers can’t see your changes Registrar delegation wrong or NS Domains don’t match real NS Correct delegation, align NS Domains, wait for TTL
Different answers on NS1 vs NS2 One node out of sync or offline Reload Zone, check server health, review logs
ACME DNS-01 fails Missing/wrong CNAME to tech zone; caching Validate with dig, fix CNAME/TXT, wait for TTL
Zone import errors Incompatible format or invalid entries Fix offending lines, re-import
No Comments
Back to top