diff --git a/systems/auth-dns.noc.eh22.intern.nix b/systems/auth-dns.noc.eh22.intern.nix
index d111593..1b83f39 100644
--- a/systems/auth-dns.noc.eh22.intern.nix
+++ b/systems/auth-dns.noc.eh22.intern.nix
@@ -1,9 +1,59 @@
 {
+  pkgs,
   ...
 }:
+let
+  noc_eh22_internZone = ''
+    $ORIGIN noc.eh22.intern.
+    $TTL 3600
+
+    ; zone management
+    noc.eh22.intern.    IN SOA auth-dns.noc.eh22.intern. noc.eh22.esterhegg.eu. (
+      1       ; serial (automatically incremented by knot)
+      7200    ; refresh
+      3600    ; retry
+      3600000 ; expire
+      60      ; negative response caching ttl
+    )
+    @           IN  NS   auth-dns
+
+    ; A/AAAA records
+    proxmox     IN  A    10.31.210.248
+    auth-dns    IN  A    10.31.210.253
+  '';
+
+  knotConf = pkgs.writeText "knot.conf" ''
+    server:
+      listen: 0.0.0.0@53
+      listen: ::@53
+
+    log:
+      - target: syslog
+        any: info
+
+    template:
+      - id: default
+        storage: /etc/knot/zones
+        zonefile-load: difference-no-serial
+        semantic-checks: "on"
+        journal-content: all
+
+    zone:
+      - domain: noc.eh22.intern
+  '';
+in
 {
   imports = [ ];
 
+  # enable knot authorative dns server
+  # ref: https://search.nüschtos.de/?query=services.knot
+  #      https://www.knot-dns.cz/docs/3.4/html/configuration.html
+  environment.etc."knot/zones/noc.eh22.intern.zone".text = noc_eh22_internZone;
+  services.knot = {
+    enable = true;
+    settingsFile = knotConf;
+  };
+
   # DO NOT CHANGE
   # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
   home-manager.users.noc.home.stateVersion = "24.11";