Novice users can have their DNS server up and running correctly and securely in no time. But make no mistake - Simple DNS Plus is a very capable and full featured DNS server, and it has plenty of options for expert users to tweak it just the way they want.
Authoritative and Recursive (resolver and cache) DNS server
All the DNS server features and functionality you need to host DNS for domain names, assign domain name to computers and devices for easy access, create and delegate sub-domains, resolve other domain names on the Internet, speed up Internet access with centralized DNS caching, etc.
High performance DNS server engine and user interface
Great for hosting and managing anywhere from a few domains to +100,000 domains.
The user interface is optimized to handle really large domain name portfolios.
Simple DNS Plus has options to configure all aspects of the DNS services, including many unique but important options not found in competing products such as the ability to limit recursion by IP address. Options are well organized and easy to manage in a central Options dialog available directly from first toolbar button in the main program window.
Of course the software comes preconfigured with settings that are appropriate for most users.
Remote Management / Windows Server Core
The Simple DNS Plus user interface can be run on a desktop computer connecting to a remote Simple DNS Plus server, making it easy and fast to manage the server without Remote Desktop, VNC, or similar.
You can even remote manage a Simple DNS Plus service running on Windows Server Core (no GUI on server)
Direct support for dynamic IP clients
Simple DNS Plus supports TSIG authenticated dynamic DNS updates.
This update method is more efficient than the HTTP based and other proprietary update methods typically used because it happens directly via the DNS protocol.
Several dynamic IP updater applications can be used with this.
Setup tutorials are provided for DynSite and DirectUpdate.
Simple DNS Plus can also function as a dynamic DNS service for more generic HTTP based update clients either by using the DynDNS Service plug-in or by using a web-server front-end. ASP.NET and classic ASP sample code for this is available here.
Full support for IDNs (internationalized domain names)
In Simple DNS Plus you can enter domain names with native characters directly (no punycode conversion needed), and have an option to display native character or punycoded domain names anywhere in the user interface, and quickly switch between these modes.
Simple DNS Plus has full support for IPv6.
Easy to integrate with other applications
You can create DNS records or entire DNS zones from other applications or web-sites and prompt Simple DNS Plus to dynamically load and use these through our REST / JSON based HTTP API.
In fact you can control pretty much everyhing in the software through the HTTP API.
We provide a Swagger / OpenAPI specification file for the HTTP API to use with a long list of automation tools - for example to generate client code in practically any programming / scripting language.
You can explore, play with and test the HTTP API through Swagger UI. Have a peek at
Simple DNS Plus also allows you to connect with other applications and data from different sources through various plug-ins and can be extended through an open plug-in architecture.
100% .NET managed code
This provides great performance - also on 64 bit computers where Simple DNS Plus runs in native 64 bit mode.
And it is very secure because common security issues such as buffer overruns simply cannot happen.
Strong security features:
Protects against DNS spoofing (a.k.a. "cache poisoning")
"DNS spoofing" is a term used for malicious cache poisoning where forged data is placed in the cache of DNS server.
Spoofing attacks can result in serious security problems, for example causing users to be directed to wrong Internet sites or e-mail being routed to non-authorized mail servers.
Simple DNS Plus automatically protects against this in several ways:
- It automatically filters out any response received which does not match a sent request.
- All records in received DNS answers are checked for authority, and records for which the answering DNS server does not have authority are ignored.
- It uses random requests IDs.
- It sends outbound DNS requests from random port numbers (a.k.a. "port randomization").
- It queues identical requests to prevent "birthday attacks".
- It has an option to "Ignore responses not coming from the IP address that request was sent to".
- It has an option to "Ignore responses which do not echo the request question section".
- It has an option to randomize the letter casing of the query name of outgoing DNS requests, and only accept responses which correctly echo this (DNS0X20).
Restrict recursion by client IP address
You can specify exactly which clients (by IP address / subnet) that you want the server to perform recursion for.
Response Filtering stops "DNS rebinding attacks"
Web-browsers generally allow any script, Java object, Flash object, etc. to communicate via HTTP / TCP with the server that served a web-page for as long as that web-page is open in the browser. This is controlled by the host name specified in the web-page URL. A "DNS rebinding attack" is done by having the DNS record for the host name time out very quickly (low TTL and other tricks) and then serve a new IP address for the host name in response to the next DNS request ("rebinding"). The new IP address would be the private/local IP address of an intranet server or device at your location. Now with a bit of scripting, the attacker can in effect use your browser as a gateway to your entire intranet - completely bypassing your firewall. The same type attack may also be possible with other Internet applications that rely on host names for security. Browser companies are taking steps to prevent this in new browser versions, but it is much more efficient and secure to stop this type of attack at the DNS level by filtering out any private/local IP addresses in DNS responses from outside DNS servers.
"Stealth DNS" option
A hacker may use a software utility known as a "DNS port scanner" to search for potential targets. This software sends dummy DNS requests to a range of IP addresses on different service ports simply to register which addresses/ports respond.
Any addresses/ports that responded will then be probed further for possible vulnerabilities.
Simple DNS Plus has a special "stealth" option which makes it invisible to such DNS port scanners, by not responding to a DNS request unless it is for data in local zones or originates from a client offered recursion.
Secure Zone Transfers
Avoid revealing all your server addresses and other potentially sensitive data by limiting who can zone transfer your zones.
Simple DNS Plus supports secure zone transfer (TSIG authenticated). Both zone transfer requests and responses are authenticated so this provides protection in two ways; it prevents unauthorized transfers (only people / servers with the correct key can transfer), and it ensures data integrity on secondary servers (not possible to spoof / inject false data during transfers).
Zone transfers can also be limited by IP address for cases where the secondary DNS server does not support TSIG signed zone transfers (less secure but much better than letting anyone zone tranfer your data).
IP address blocking
Ignore packets from known offenders (by IP address). You specify how long a block should be in effect along with comments about why the IP address was blocked for easy reference. Such comments will also be shown in the log when a requests from the IP address is ignored.
IP addresses that make too many requests to quickly (possible DoS attack) can either automatically be added to to the block list, or be rate limited.
An editable list of trusted IP addresses are not not subject to automatic blocking / rate limiting.
Windows® 10, Windows® 8 / 8.1, Windows® 7
Home Page -