diff --git a/playbook.yml b/playbook.yml
index 49ab3ca3fbba685cf932d05c13c686c756eccfda..d4000f5360a6ce42b5f9235567c40e6b3ae62942 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -18,6 +18,5 @@
   become: yes
   roles:
     - services
-    - role: ffhl_nameserver
-      tags: [nameserver]
-    
+    - role: ffhl_ns_auth
+      tags: [nameserver, nsauth]
diff --git a/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf b/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
index ecbee8a007ee203da8b3436296bf0755018a5d4e..371263d2ee931873daef8d5b6593ba6593f246ad 100644
--- a/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
+++ b/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
@@ -6,10 +6,10 @@ setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
 
 webserver('0.0.0.0:8083', 'dnsdist', 'dnsdist')
 
-newServer({address='127.0.0.1:5300', pool='auth'})
-newServer({address='[::1]:5300', pool='auth'})
-newServer({address='127.0.0.1:5301', pool='recursor'})
-newServer({address='[::1]:5301', pool='recursor'})
+newServer({address='127.0.0.1:5300',  pool='auth'})
+newServer({address='[::1]:5300',      pool='auth'})
+newServer({address='127.0.0.1:5301',  pool='recursor'})
+newServer({address='[::1]:5301',      pool='recursor'})
 newServer({address="10.130.0.104:53", pool='ffdyndns'})
 
 -- todo use host_vars
@@ -20,9 +20,9 @@ recursive_ips:addMask('fdef:ffc0:3dd7::/48')
 recursive_ips:addMask('fe80::/10')
 recursive_ips:addMask('::1/128')
 
-addAction("ffdyn.net.", PoolAction('ffdyndns'))
+addAction("ffdyn.net.",                    PoolAction('ffdyndns'))
 addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
-addAction(AllRule(), PoolAction('auth'))
+addAction(AllRule(),                       PoolAction('auth'))
 
 -- disable security status
 setSecurityPollSuffix("")
diff --git a/roles/ffhl_ns_auth/files/bind/forward-zones.conf b/roles/ffhl_ns_auth/files/bind/forward-zones.conf
new file mode 100644
index 0000000000000000000000000000000000000000..f083573e138a74f79eb555a9adb87cfcf1df5e04
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/forward-zones.conf
@@ -0,0 +1,4 @@
+ffhl.=[::1]:5300
+ffhl.de.=[::1]:5300
+luebeck.freifunk.net.=[::1]:5300
++.=1.1.1.1
diff --git a/roles/ffhl_ns_auth/files/bind/named.conf.local b/roles/ffhl_ns_auth/files/bind/named.conf.local
new file mode 100644
index 0000000000000000000000000000000000000000..db701e1330da68b22409693e0086d9ac1021cd5f
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.local
@@ -0,0 +1,19 @@
+zone "luebeck.freifunk.net" IN {
+    type master;
+    file "luebeck.freifunk.net.zone";
+};
+
+zone "ffhl.de" IN {
+    type master;
+    file "ffhl.de.zone";
+};
+
+zone "ffdyn.net" IN {
+    type master;
+    file "ffdyn.net.zone";
+};
+
+zone "ffhl" IN {
+    type master;
+    file "ffhl.zone";
+};
diff --git a/roles/ffhl_ns_auth/files/bind/named.conf.options b/roles/ffhl_ns_auth/files/bind/named.conf.options
new file mode 100644
index 0000000000000000000000000000000000000000..39030f08fbf6365953d088b5cc0526862e0a2464
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.options
@@ -0,0 +1,19 @@
+options {
+    directory "/var/local/ffhl-dns";
+    dnssec-validation auto;
+    allow-transfer { none; };
+
+    // forwarders {
+    //      0.0.0.0;
+    // };
+
+    listen-on port 5300 { 127.0.0.1; };
+    listen-on-v6 port 5300 { ::1; };
+
+    allow-recursion {
+        10.130.0.0/16;
+        2001:67c:2d50::/48;
+        fdef:ffc0:3dd7::/48;
+        fe80::/64;
+    };
+};
diff --git a/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service
new file mode 100644
index 0000000000000000000000000000000000000000..2fe576323de40d49df75fdc9ed8a5c0bab0d25dc
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service
@@ -0,0 +1,3 @@
+[Service]
+Type=oneshot
+ExecStart=/usr/local/lib/ffhl/update-dns.sh
\ No newline at end of file
diff --git a/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer
new file mode 100644
index 0000000000000000000000000000000000000000..0112ec89a1a2a9c570f8c250666bdb9a9489d237
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer
@@ -0,0 +1,5 @@
+[Timer]
+OnCalendar=*:00/5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ffhl_ns_auth/tasks/bind.yml b/roles/ffhl_ns_auth/tasks/bind.yml
new file mode 100644
index 0000000000000000000000000000000000000000..01d1798a36b047e1994be3a6000a2ff36225cfdf
--- /dev/null
+++ b/roles/ffhl_ns_auth/tasks/bind.yml
@@ -0,0 +1,45 @@
+---
+# - name: copy dnsdist configs
+#   copy:
+#     src: dnsdist
+#     dest: /etc/
+
+
+- name: copy bind configs
+  loop:
+    - named.conf.options
+    - named.conf.local
+  copy:
+    src: "bind/{{ item }}"
+    dest: "/etc/bind/{{ item }}"
+
+
+- name: remove old dns repo
+  file:
+    path: /var/local/ffhl-dns
+    state: absent
+
+
+# add update script
+- name: copy update script
+  template:
+    src: update-dns.sh
+    dest: /usr/local/lib/ffhl/
+    mode: 0775
+
+- name: copy systemd services and timers
+  copy:
+    src: systemd/
+    dest: /etc/systemd/system/
+
+- name: restart dns services
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+    name: "{{ item }}"
+  loop:
+    - bind9.service
+    - dnsdist.service
+    - update-ffhl-dns.timer
+    - update-ffhl-dns.service
diff --git a/roles/ffhl_ns_auth/tasks/main.yml b/roles/ffhl_ns_auth/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..663f4bd7367a332a93b49993c9ecc558d3b787c3
--- /dev/null
+++ b/roles/ffhl_ns_auth/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+
+
+- name: remove other dns services
+  tags: [dns]
+  apt:
+    state: absent
+    name:
+      - pdns-recursor
+      - pdns-server
+      - pdns-backend-bind
+
+
+- name: install packages
+  tags: [dns, bind]
+  apt:
+    state: present
+    name:
+      - bind9
+
+
+- name: installing bind
+  import_tasks: bind.yml
+  tags: [powerdns]
diff --git a/roles/ffhl_ns_auth/templates/update-dns.sh b/roles/ffhl_ns_auth/templates/update-dns.sh
new file mode 100644
index 0000000000000000000000000000000000000000..ea4eef1d69c3860cedbfb476fa11abf79d37696f
--- /dev/null
+++ b/roles/ffhl_ns_auth/templates/update-dns.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+DIR=$(mktemp -d)
+DEST="/var/local/ffhl-dns"
+REPO="{{ dns_repo_url }}"
+
+mkdir -p "$DEST"
+git clone "$REPO" "$DIR"
+git --git-dir="$DIR/.git" --work-tree="$DEST" reset --hard
+
+rm -rf "$DIR"
+
+chown -R bind:bind "$DEST"
+
+# if this script is started by ansible, named was restarted just before this service
+# we need to give named some time to startup
+sleep 5
+
+systemctl reload named.service