diff --git a/lib/default.nix b/lib/default.nix
index 7a328cf..0094741 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -58,4 +58,8 @@ rec {
       }).machine.meta
   ) (final.filterAttrs (_: v: v == "directory") (readDir ../machines));
 
+  dns = import ./dns.nix {
+    lib = final;
+    dnsLib = (import inputs.dns).lib;
+  };
 }
diff --git a/lib/dns.nix b/lib/dns.nix
new file mode 100644
index 0000000..f3eca85
--- /dev/null
+++ b/lib/dns.nix
@@ -0,0 +1,39 @@
+{ lib, dnsLib, ... }:
+
+with lib;
+
+rec {
+
+  hasSuffix' = flip strings.hasSuffix;
+
+  domainToZone = allowedDomains: domain: (findFirst (hasSuffix' domain) null allowedDomains);
+
+  filterElligibleDomains = allowedDomains: domain: domainToZone allowedDomains domain != null;
+
+  domainsFromConfiguration =
+    allowedDomains: config:
+    filter (filterElligibleDomains allowedDomains) (attrNames config.services.nginx.virtualHosts);
+
+  ipsToRecord =
+    ipType: ipValue:
+    with dnsLib.combinators;
+    if ipType == "ipv4" then { A = [ ipValue ]; } else { AAAA = [ ipValue ]; };
+
+  domainToRecords =
+    domain: machineMeta: isVPNDomain:
+    with dnsLib.combinators;
+    (optionalAttrs isVPNDomain (
+      mapAttrsWithMerge (n: v: nameValuePair domain (ipsToRecord n v)) machineMeta.ips.vpn
+    ))
+    // (optionalAttrs (!isVPNDomain) (
+      mapAttrsWithMerge (n: v: nameValuePair domain (ipsToRecord n v)) machineMeta.ips.public
+    ));
+
+  getDomainPrefix =
+    allowedDomains: domain:
+    let
+      zone = domainToZone allowedDomains domain;
+    in
+    strings.removeSuffix ".${zone}" domain;
+
+}