// Guide · Networking & infrastructure

DNS Zone Designer

A DNS zone authoring tool tuned for VCF deployments. Build forward and reverse zones with all the record types VCF needs (A, AAAA, CNAME, PTR, plus MX/TXT/SRV/CAA/NS for completeness), then export production-ready BIND zone files or Windows DNS PowerShell.

Forward ZonesReverse Zones (PTR)9 record typesBIND ExportWindows DNS PowerShellVCF Templates

Open the tool Jump to walkthrough

Quick start

Set the zone basics — domain name (e.g. corp.local), primary nameserver, admin email, default TTL.
Add records — pick the type from the dropdown (A, AAAA, CNAME, PTR…) and fill in the host/target. Or use the VCF preset button to add the standard VCF host records in bulk.
Add reverse zones — for each forward subnet, the tool auto-generates the matching in-addr.arpa reverse zone with PTR records.
Export — pick BIND zone file format (drop straight into named.conf) or Windows DNS PowerShell (run on a Windows DNS server).

On this page

When to use this tool
How it works
Step-by-step walkthrough
Examples
Common mistakes
Related tools
FAQ

When to use this tool

Use this tool when you need to:

Pre-populate DNS for a new VCF deployment — every host, vCenter, SDDC Manager, NSX appliance, and Operations VM needs forward + reverse records before you start the install.
Generate BIND zone files for a Linux DNS server (named/bind9).
Generate PowerShell for Windows DNS — runs Add-DnsServerResourceRecord for each entry.
Design DNS for a greenfield environment with no existing zones to import.
Document the DNS plan for handoff to the DNS team.

⚠

VCF won't install without working DNS The VCF Installer pre-checks resolve every FQDN in the JSON spec against your DNS server (forward AND reverse). If any record is missing, deployment fails. Use this tool to make sure you have a complete record set before starting.

How it works

DNS for VCF needs both forward and reverse resolution working:

Forward zone: esx01.corp.local → 172.16.10.21 (A record)
Reverse zone: 21.10.16.172.in-addr.arpa → esx01.corp.local (PTR record)

This tool builds both at once — when you add a host A record, the reverse PTR is generated automatically in the right reverse zone. Tabs at the top let you switch between summary, BIND output, Windows PowerShell output, and a deployment checklist.

Step-by-step walkthrough

1. Configure the zone metadata

Top of the form:

Domain name — your VCF domain, e.g. corp.local, vcf.lab
Primary nameserver — FQDN of your DNS server, e.g. ns1.corp.local
SOA email — admin contact (DNS uses admin.corp.local for [email protected])
Default TTL — 3600 (1 hour) is standard. Use 60s/5m for environments under active change.
Refresh / Retry / Expire / Negative TTL — defaults are fine for most deployments

2. Add forward records

Click Add record and pick a type:

A — IPv4 host record (most common for VCF)
AAAA — IPv6
CNAME — alias (e.g. vcsa → vc-m01.corp.local)
MX — mail server
TXT — SPF, DKIM, verification strings
SRV — service location (e.g. LDAP, Kerberos)
CAA — certificate authority authorization
NS — delegation

Or use the VCF preset button to add the standard VCF host set in bulk: ESX hosts, vCenter, SDDC Manager, NSX Manager (×3 + VIP), VCF Operations.

3. Reverse zones (auto-generated)

The tool auto-detects the subnets used in your A records and generates a matching in-addr.arpa reverse zone for each. PTR records are added automatically. You don't need to manage these by hand — but you can review them in the reverse zones section.

4. Export to BIND

Click the BIND tab to see the production-ready zone file. Standard BIND syntax with SOA, NS records, and all your A/CNAME/PTR entries. Drop into /etc/bind/zones/ on your DNS server, add the corresponding zone block to named.conf.local, reload bind.

5. Export to Windows DNS PowerShell

Click the Windows DNS tab to see PowerShell that uses Add-DnsServerPrimaryZone and Add-DnsServerResourceRecord* commands. Run on a Windows server with the DnsServer module installed (built into Windows Server with the DNS role).

6. Run the checklist

The Checklist tab shows pre-deployment validation:

Every A record has a matching PTR
No duplicate hostnames
SOA fields valid
NS records present in the apex

Run through these before exporting — fixes any gaps the VCF Installer will trip over.

Examples

Example · BIND zone for a 4-host VCF management domain

$TTL 3600
@   IN  SOA  ns1.corp.local. admin.corp.local. (
              2026041501  ; serial
              3600        ; refresh
              900         ; retry
              604800      ; expire
              3600 )      ; negative TTL
    IN  NS   ns1.corp.local.

esx01      IN  A  172.16.10.21
esx02      IN  A  172.16.10.22
esx03      IN  A  172.16.10.23
esx04      IN  A  172.16.10.24
vc-m01     IN  A  172.16.10.30
sddc-m01   IN  A  172.16.10.31
nsx-m01    IN  A  172.16.10.40
nsx-m02    IN  A  172.16.10.41
nsx-m03    IN  A  172.16.10.42
nsx-vip    IN  A  172.16.10.43

Common mistakes

🚨

Forgetting reverse PTR records VCF pre-checks both forward AND reverse. A record without matching PTR = failed install. The auto-generation handles this if you add A records normally — but if you import or hand-edit, double-check.

⚠

Using underscores in hostnames DNS hostnames must be alphanumeric + hyphen. Underscores work in some clients but break others (and break VCF). Use hyphens: vc-m01, not vc_m01.

⚠

SOA serial number forgotten on update BIND won't reload zone changes if the serial number doesn't increase. The tool uses today's date + sequence (YYYYMMDDNN) — re-export after changes to get a fresh serial.

⚠

Duplicating zones across DNS servers If you have multiple DNS servers, only the primary should run the generated zone file directly. Secondary servers should be configured as zone transfer slaves, not given a copy of the file.

Tools that pair well with DNS Zone Designer:

FAQ

Can I add to an existing zone instead of creating new?

The exports assume a fresh zone. If you're adding to an existing zone, copy just the record entries (skip the SOA and apex NS) and paste them into your existing zone file.

Does the Windows PowerShell handle reverse zones?

Yes — it creates both forward and reverse primary zones, then adds A and PTR records to each.

What about DNSSEC?

The exports don't include DNSSEC signing. If you require DNSSEC, configure it on your DNS server after loading the unsigned zone.

Why does my VCF install fail even though dig resolves the FQDNs?

VCF queries from the appliance network. Make sure your DNS server is reachable from the management VLAN (firewall, ACLs) and that the appliance has the right DNS servers configured during bootstrap.

Should I use my AD DNS or stand up a separate DNS for VCF?

Either works. AD DNS is fine for production; just create the VCF zone (e.g. vcf.corp.local) as a delegation or as records in your existing AD-integrated zone. Stand-alone BIND is simpler for labs.