PDNS: DNS as a Service

PDNS: DNS as a Service

  • Complete Bind9 based solution
  • Recursive DNS-Firewall RPZ (Response Policy Zones) for endpoint security
  • Authoritative DNS for your Organization
  • WebUI and API for DNS
  • Antispoofing, Anti-DDoS and Cache Poisoning Controls
  • DNSSEC for increased security and brand protection

DNS is a critical component behind all Internet applications, websites, e-mail, messaging and e-commerce. We at Planisys have developed the PDNS platform for task automation and full control of the DNS Operation at Service Providers, Financial Institutions and other Organizations requiring a high level of security.

Read about DNS Attacks Bind9 Vulnerability Matrix Read the PDNS Docs What is DNSSEC

Frequently Asked Questions about DNS

PDNS is Planisys' corporate platform for Domain Name System as a Service.
DNS stands for Domain Name System, which is a system that translates domain names into IP addresses so that computers can communicate with each other over the internet. Additionally, DNS may contain more records defining policies, services and information that specify forms of interacting with it and also helping protect the brand the domain is associated with.
RPZ or Response Policy Zone runs in a DNS resolver to protect the user from malicious domains. A Resolver with RPZ can help protect users' workstations from country-prohibited domains, malicious domains or even adware. Read more here
Yes, you get as many dedicated resolvers as you want. They can be on-premise, in Planisys' Cloud or in any Cloud you choose. And yes, the service is configurable by enabling/disabling different blocklists. There is although a cheapear, shared version of Planisys RPZ, where you can choose out of five different fixed levels of protection.
A domain name is a human-readable name that represents the IP address of a website, and a lot of additional information about the domain. For example, www.example.com is a domain name that represents the IP address of the website hosted at that address. There can be many records associated to a domain name, such as indications of where it receives e-mail, the IP addresses from where legit e-mail from this domain originates, or even a cryptographic public key stating that all legit e-mails should be automatically signed.
A domain registrar is a company that manages the registration of domain names and the assignment of IP addresses.
A DNS record is a piece of information in the DNS database that maps a domain name to an IP address or other resource record types.
An authoritative nameserver is a DNS server that is responsible for storing DNS records for a certain domain names.
DNS hijacking is an attack in which a hacker redirects traffic intended for a particular domain name to a fake website or server, often for malicious purposes. PDNS uses hardened versions of Bind9 and takes a series of defense and cleanup to measures to avoid that.
Some common techniques for troubleshooting DNS issues include checking for typos in domain names, testing DNS resolution with the nslookup or dig command, flushing DNS cache, and testing connectivity to DNS servers. PDNS provides several tools for checking and even multi-checks to query different name servers.
DNSSEC stands for Domain Name System Security Extensions. DNSSEC provides cryptographic authentication of DNS data, preventing cache poisoning attacks by ensuring the integrity and authenticity of DNS responses. Enabling DNSSEC on your domain and validating DNSSEC signatures can help protect against cache poisoning that could affect your domain.
At Planisys we always deploy the latest security patches as specified in the Bind Vulnerability Matrix, being 9.18.24-1 the current version as of February 20th 2024, that remediates those DNSSEC attacks.
Source port randomization in Planisys Bind9 deployment , helps to add entropy to DNS query transactions by randomly selecting source ports for outgoing DNS queries. This randomness makes it more difficult for attackers to predict and spoof source ports, thus improving the resilience of DNS servers against certain types of attacks, including cache poisoning.
It depends. If you're chasing malware in your own environment, and want to identify infected workstations, we can provide you either with a VMWare image or a Network Appliance for the RPZ service. But if you're looking for a streamlined protection service, you can rely on our Cloud servers. You can either use a dedicated RPZ server with customized protection settings for your customers, or use one of our different pre-configured RPZ shared servers.
Yes. You can find the documentation in https://docs.planisys.net/pdns/

Planisys PDNS
Hybrid Deployment

  • Based on Bind 9.18+ for Redhat and Debian/Ubuntu based systems
  • Bind9 servers on-premise, in Planisys Cloud, or Amazon/Azure/GoogleCloud/etc.
  • RPZ: Response Policy Zones for Government due access restrictions
  • Avoid noisy neighbors, cache poisoning, and domains involved in malware attacks to protect your endpoints
  • Response Rate Limiting to avoid DDoS attacks
  • DNSSEC for increased security and reputation
  • We provide DS information for your registrar's Chain of Trust
  • Real-time consistency controls of your domains between your Hidden Primary, your Authoritatives and Recursives.
Compant view of zone


  • Premium Technical Support - Ticketing system with Escalation Procedure
  • We help you migrate your DNS Zones to us
  • Permanent consulting on the use of DNS
  • Deploy servers wherever you like
  • Integrate with your CRM via API
  • Give access to your customers through PDNS-Web
  • We support any master-slave scenario
  • 24x7x365 DNS Monitoring and Alerts
  • Increased Security (anti-DDoS and DNSSEC)
  • Antispoofing and Antimalware

RPZ Endpoint Protection

RPZ workflow

RPZ endpoint protection workflow

RPZ to NXDOMAIN (inexistent domain)

RPZ protection

RPZ interrupts infection process

Printscreens of PDNS Web

Newly created zone with automatic NS records

Newly created zone with automatic NS records

Add MX Record

Add MX Record

MX added and SOA Serial automatically increased

MX added and SOA Serial automatically increased

PDNS Reseller View

PDNS Reseller View

Multi-Check DNS Lookup Tool

Multi-Check DNS Lookup Tool

DNS Tool Lookup IDNA IPv6

DNS Tool Lookup IDNA IPv6

DNS Whois Information

DNS Whois Information

DNS Reverse Ipv4 Pre-filled Zone

PDNS Reverse Ipv4 Pre-filled Zone

DNS Recursive Statistics

PDNS Recursive Statistics for 10k Users

DNS query distribution

PDNS Query Distribution

DNS use of IPv4 and IPv6

PDNS Recursive use of IPv4 and IPv6

Malware avoided with RPZ

Malware avoided with RPZ


Web interface for DNS Resource Records

Intuitive, multi-tenant, responsive web interface for DNS Resource Records CRUD (Create Read Update and Delete). Extensive checks at the user level interface to avoid invalid zones being rejected by Bind DNS.

DNSSEC,EDNS and RRL support

DNSSEC support for zone signing and root-of-trust in the delegation chain. Also extensive use of EDNS to provide bigger UDP packets and together with RRL (Response Rate Limiting) mitigate DDoS attacks.

DNS Firewall

Threat intelligence feeds to block malicious CIDRs and malicious IPs involved in C2 (Command and Control) in order to avoid exfiltration and C&C driven attacks.

Response Policy Zones

With a real-time feed of +10M of malware infected domains, both from Planisys Threat Intelligence and market qualified 3rd parties, DNS uses RPZ (Response Policy Zones) to protect all endpoints of your organization by non resolving domains involved in Malware attacks.

Emergency DDoS

In case your network is under an extensive DDoS attack, you can apply a Response Rate Limiting brake from Planisys Control Panel, also blocking newly discovered attacking IPs.

2 way authentication

As DNS is a critical component of the organizations' Internet presence as well as for internal systems, logins to the PDNS platform are protected by two-way authentication with OTP. You can also rely on Active Directory login integration and thus its own MFA mechanisms.


PDNS keeps track of user modification by means of an encrypted auditlog that honours the privilege hierarchy, having a superadmin that can view all users' activity. Delegation events originated in other systems are also being timestamped and recorded together with manual interventions, to have a better understanding and forensics of DNS configuration history.

Domain and X509 expiration alerting<

PDNS provides ways to protect and alert administrators by e-mail and SMS before his domains are going to expire, by looking up their WHOIS information on a regular basis. X509 certs can also be uploaded as associated information to the domains, and keep administrators alerted about expiry dates.

Multi-tenant, white-label administration

PDNS' web interface is multi-tenant , with granular permissions to ensure proper access privileges and management of DNS resources according to superadmins, admins, resellers and final customers. PDNS can be deployed at customer's premises or as SaaS in the cloud. PDNS can also be implemented in the infrastructure of your company, in addition to being available in Software-as-a-service mode in the cloud.

Contact Us!

Captcha: captcha
Planisys 2024 © All rights reserved.