diff --git a/inventory/ffmwu-mesh-services b/inventory/ffmwu-mesh-services
index 31447c3..733f875 100644
--- a/inventory/ffmwu-mesh-services
+++ b/inventory/ffmwu-mesh-services
@@ -1,2 +1,3 @@
 [ffmwu-mesh-services]
 kichererbse.freifunk-mwu.de
+linse.freifunk-mwu.de
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 82d2df4..86cad3d 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -165,6 +165,48 @@ wireguard_networks:
       - kichererbse
       - suesskartoffel
     port: 50020
+  - ipv4: 10.87.253.42/31
+    ipv6: fd86:b4dc:4b1e:fd::2a/127
+    peers:
+      - ingwer
+      - linse
+    port: 50021
+  - ipv4: 10.87.253.44/31
+    ipv6: fd86:b4dc:4b1e:fd::2c/127
+    peers:
+      - lotuswurzel
+      - linse
+    port: 50022
+  - ipv4: 10.87.253.46/31
+    ipv6: fd86:b4dc:4b1e:fd::2e/127
+    peers:
+      - spinat
+      - linse
+    port: 50023
+  - ipv4: 10.87.253.48/31
+    ipv6: fd86:b4dc:4b1e:fd::30/127
+    peers:
+      - uffschnitt
+      - linse
+    port: 50024
+  - ipv4: 10.87.253.50/31
+    ipv6: fd86:b4dc:4b1e:fd::32/127
+    peers:
+      - wasserfloh
+      - linse
+    port: 50025
+  - ipv4: 10.87.253.52/31
+    ipv6: fd86:b4dc:4b1e:fd::34/127
+    peers:
+      - suesskartoffel
+      - linse
+    port: 50026
+  - ipv4: 10.87.253.54/31
+    ipv6: fd86:b4dc:4b1e:fd::36/127
+    peers:
+      - kichererbse
+      - linse
+    port: 50027
 
 fastd_groups:
   - ffmwu-gateways
@@ -594,6 +636,12 @@ bgp_legacy_servers:
     ipv4: 10.37.0.42
     ipv6: fd37:b4dc:4b1e::a25:2a
 
+dns_external:
+  slaves:
+    - ns1.treck.de
+    - ns2.treck.de
+    - ns3.treck.de
+
 dns_internal:
   master_ipv4: 10.87.255.67
   master_ipv6: fd86:b4dc:4b1e:ff::43
diff --git a/inventory/host_vars/linse.freifunk-mwu.de b/inventory/host_vars/linse.freifunk-mwu.de
new file mode 100644
index 0000000..f51ebd5
--- /dev/null
+++ b/inventory/host_vars/linse.freifunk-mwu.de
@@ -0,0 +1,8 @@
+---
+server_type: "mesh-service"
+
+magic: 71
+
+nodejs_major_version: "10"
+
+http_dns_prefix: "dns-ext"
diff --git a/playbooks/dns.yml b/playbooks/dns.yml
index 36e7b1a..a074a00 100755
--- a/playbooks/dns.yml
+++ b/playbooks/dns.yml
@@ -72,3 +72,75 @@
       sqla_db_host: "127.0.0.1"
       sqla_db_name: "pdns-admin"
       sqlalchemy_track_modifications: True
+
+- name: Manage DNS External Master Server.
+  hosts: linse.freifunk-mwu.de
+
+  roles:
+  - service-nginx
+  - nodejs
+  - yarn
+  - geerlingguy.mysql
+  - powerdns.pdns
+  - pdns-admin
+
+  vars:
+    mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
+    mysql_databases:
+      - name: "pdns-admin"
+        encoding: "utf8"
+        collation: "utf8_general_ci"
+    mysql_users:
+      - name: "pdns-admin"
+        host: "localhost"
+        password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=secret') }}"
+        priv: "pdns-admin.*:ALL"
+    mysql_max_binlog_size: "100M"
+    mysql_expire_logs_days: "10"
+    mysql_bind_address: "127.0.0.1"
+
+    pdns_install_repo: "{{ pdns_auth_powerdns_repo_41 }}"
+
+    pdns_mysql_databases_credentials:
+      gmysql:
+        priv_user: root
+        priv_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
+        priv_host:
+          - "localhost"
+
+    pdns_config:
+      allow-axfr-ips: "{% for slave in dns_external.slaves %}{{ lookup('dig', slave, 'qtype=A') | ipaddr('address') }}{% if not loop.last %},{% endif %}{% endfor %}"
+      api: "yes"
+      api-key: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_apikey') }}"
+      default-soa-name: "{{ inventory_hostname }}"
+      default-soa-mail: "admin.freifunk-mwu.de"
+      local-port: "53"
+      local-address: "127.0.0.1,{{ loopback_net_ipv4 | ipaddr(magic) | ipaddr('address') }},{{ ansible_default_ipv4.address | ipaddr('address') }}"
+      local-ipv6: "::1,{{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }},{{ ansible_default_ipv6.address | ipaddr('address') }}"
+      master: True
+      tcp-fast-open: "50"
+      version-string: "anonymous"
+      webserver: "yes"
+      webserver-address: "127.0.0.1"
+      webserver-allow-from: "0.0.0.0/0,::/0"
+      webserver-password: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_webserver') }}"
+
+    pdns_backends:
+      gmysql:
+        host: "127.0.0.1"
+        user: "powerdns"
+        password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_powerdns subkey=secret') }}"
+        dbname: "powerdns"
+
+    pdns_admin_global_config:
+      secret_key: "{{ lookup('passwordstore', inventory_hostname_short + '/pdnsadmin_secretkey') }}"
+      login_title: "Freifunk MWU DNS Management"
+      log_level: "INFO"
+      log_file: "pdns-admin.log"
+
+    pdns_admin_database_config:
+      sqla_db_user: "pdns-admin"
+      sqla_db_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=secret') }}"
+      sqla_db_host: "127.0.0.1"
+      sqla_db_name: "pdns-admin"
+      sqlalchemy_track_modifications: True