AES DNS Configuration

NetBird automatically creates DNS records for AES tunnel IP addresses, allowing you to reach peers via their AES-encrypted endpoint using familiar domain names.

How AES DNS Works

When AES tunnels are active, each peer gets two DNS entries:

Applications that connect to the AES DNS name are automatically routed through the double-encrypted AES tunnel.

Configuration

Default Behavior

By default, the AES DNS domain is automatically derived as aes.<dns_domain>. If your standard DNS domain is netbird.cloud, the AES DNS domain becomes aes.netbird.cloud.

No configuration is required for this default behavior.

Custom AES DNS Domain

You can set a custom AES DNS domain via the REST API:

curl -X PUT "https://management.example.com/api/accounts/{accountId}" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "settings": {
      "aes_dns_domain": "secure.myorg.com"
    }
  }'

Management Server Flag

The management server also accepts a CLI flag for the default AES DNS domain:

--aes-dns-domain string   Domain used for AES overlay peer resolution.
                          Defaults to 'aes.' if not set.

Configuration Precedence

The AES DNS domain is determined in this order (highest priority first):

1. Per-account API setting (settings.aes_dns_domain)
2. Management server CLI flag (--aes-dns-domain)
3. Automatic default (aes.<dns_domain>)

Which Peers Get AES DNS Records

AES DNS records are generated only for peers that meet all three conditions:

• Has an AES IP allocated by the management server
• Is not AES-exempt
• The account has an AES DNS domain configured (or uses the default)

Security hubs and AES-exempt peers are excluded from the AES DNS zone.

Verifying AES DNS

After configuration, verify that AES DNS records resolve correctly:

# Standard WireGuard DNS
nslookup my-server.netbird.cloud

# AES DNS
nslookup my-server.aes.netbird.cloud

Both should resolve to different IP addresses — the WireGuard IP and the AES IP respectively.