diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..40dbd6f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+dns.env
+.terraform
+terraform.tfstate*
+terraform.tfvars
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d4e339a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,69 @@
+# bind-dns
+
+Use packer and terraform to deploy a pair of Bind DNS servers in an AWS VPC to resolve DNS name for K8s API server (or whatever you wish).
+
+## Usage
+
+1. Clone this repo.
+```
+    $ git clone git@github.com:lander2k2/bind-dns.git
+    $ cd kube-cluster
+```
+
+2. Export your AWS keys and preferred region.
+```
+	$ export AWS_ACCESS_KEY_ID="accesskey"
+	$ export AWS_SECRET_ACCESS_KEY="secretkey"
+	$ export AWS_DEFAULT_REGION="us-east-2"
+```
+
+3. Build a CentOS-based image for your DNS servers.  Not the AMI ID for adding to the tfvars.
+```
+    $ cd images
+    $ packer build ns_template_centos.json
+```
+
+4. Edit terraform variables.  Add the appropriate values for your environment.
+```
+    $ cd ../
+    $ cp terraform.tfvars.example terraform.tfvars
+    $ vi terraform.tfvars
+```
+
+5. Deploy the name servers.  The 2 deployed servers will be identical.  Arbitrarily assign one as the master and the other as the slave.
+```
+    $ terraform init infra
+    $ terraform plan infra
+    $ terraform apply infra
+```
+
+6. Set the variables to configure your name servers.
+```
+    $ cp dns.env.example dns.env
+    $ vi dns.env
+```
+
+7. Copy the env vars to your name servers.
+```
+    $ scp dns.env centos@[master ip]
+    $ scp dns.env centos@[slave ip]
+```
+
+8. Connect to the master name server and configure.
+```
+    $ ssh centos@[master ip]
+    $ sudo su
+    # source dns.env
+    # configure_master.sh
+```
+
+9. Repeat for the slave name server.
+```
+    $ ssh centos@[slave ip]
+    $ sudo su
+    # source dns.env
+    # configure_slave.sh
+```
+
+10. Add the two name server IPs to your jump box resolv.conf
+
diff --git a/dns.env.example b/dns.env.example
new file mode 100644
index 0000000..01cbc4a
--- /dev/null
+++ b/dns.env.example
@@ -0,0 +1,19 @@
+# e.g. example.com
+export DOMAIN_NAME=""
+
+# private IP for master DNS server
+export MASTER_IP=""
+
+# private IP for slave DNS server
+export SLAVE_IP=""
+
+# subdomain you will use for k8s API
+export SUBDOMAIN=""
+
+# DNS name for K8s API load balancer
+export API_ELB=""
+
+# IP of jump box from which DNS queries will be sent
+# will also accept a CIDR if preferred
+export JUMP_IP=""
+
diff --git a/images/config_master.sh b/images/config_master.sh
new file mode 100755
index 0000000..01ab4d2
--- /dev/null
+++ b/images/config_master.sh
@@ -0,0 +1,129 @@
+#!/bin/bash
+
+set -e
+
+: "${DOMAIN_NAME:?Env variable DOMAIN_NAME must be set and not empty}"
+: "${SLAVE_IP:?Env variable SLAVE_IP must be set and not empty}"
+: "${SUBDOMAIN:?Env variable SUBDOMAIN must be set and not empty}"
+: "${API_ELB:?Env variable API_ELB must be set and not empty}"
+: "${JUMP_IP:?Env variable JUMP_IP must be set and not empty}"
+: "${FORWARDER:?Env variable FORWARDER must be set and not empty}"
+
+PRIVATE_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+
+grep -qF "${PRIVATE_IP} ns1.${DOMAIN_NAME} ns1" /etc/hosts || echo "${PRIVATE_IP} ns1.${DOMAIN_NAME} ns1" >> /etc/hosts
+
+echo "ns1" > /etc/hostname
+hostname -F /etc/hostname
+
+cat > /etc/named.conf <<EOF
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// See the BIND Administrator's Reference Manual (ARM) for details about the
+// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
+
+acl "trusted" {
+	${PRIVATE_IP};
+	${SLAVE_IP};
+	${JUMP_IP};
+};
+
+options {
+	listen-on port 53 { 127.0.0.1; ${PRIVATE_IP}; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { trusted; };
+
+	/*
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.  - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
+	 - If your recursive DNS server has a public IP address, you MUST enable access
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface
+	*/
+	recursion yes;
+	allow-transfer { ${SLAVE_IP}; };
+
+    forwarders { ${FORWARDER}; };
+
+	dnssec-enable no;
+	dnssec-validation no;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+include "/etc/named/named.conf.local";
+EOF
+
+cat > /etc/named/named.conf.local <<EOF
+zone "${DOMAIN_NAME}" {
+	type master;
+	file "/etc/named/zones/db.${DOMAIN_NAME}";
+	allow-transfer { ${SLAVE_IP}; };
+};
+EOF
+
+if [ ! -d /etc/named/zones ]; then
+	mkdir /etc/named/zones
+fi
+cat > /etc/named/zones/db.${DOMAIN_NAME} <<EOF
+;
+; BIND data file for local loopback interface
+;
+\$TTL	604800
+@	IN	SOA	ns1.${DOMAIN_NAME}. admin.${DOMAIN_NAME}. (
+			      5		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+; Name servers
+${DOMAIN_NAME}.	IN	NS	ns1.${DOMAIN_NAME}.
+${DOMAIN_NAME}.	IN	NS	ns2.${DOMAIN_NAME}.
+; A records for name servers
+ns1	IN	A	${PRIVATE_IP}
+ns2	IN	A	${SLAVE_IP}
+;
+${SUBDOMAIN}	IN	CNAME	${API_ELB}.
+EOF
+
+named-checkconf
+
+named-checkzone ${DOMAIN_NAME} /etc/named/zones/db.${DOMAIN_NAME}
+
+systemctl restart named
+systemctl enable named
+
+exit 0
+
diff --git a/images/config_slave.sh b/images/config_slave.sh
new file mode 100755
index 0000000..8f67912
--- /dev/null
+++ b/images/config_slave.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+set -e
+
+: "${DOMAIN_NAME:?Env variable DOMAIN_NAME must be set and not empty}"
+: "${MASTER_IP:?Env variable MASTER_IP must be set and not empty}"
+: "${SUBDOMAIN:?Env variable SUBDOMAIN must be set and not empty}"
+: "${API_ELB:?Env variable API_ELB must be set and not empty}"
+: "${JUMP_IP:?Env variable JUMP_IP must be set and not empty}"
+: "${FORWARDER:?Env variable FORWARDER must be set and not empty}"
+
+PRIVATE_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+
+grep -qF "${PRIVATE_IP} ns2.${DOMAIN_NAME} ns2" /etc/hosts || echo "${PRIVATE_IP} ns2.${DOMAIN_NAME} ns2" >> /etc/hosts
+
+echo "ns2" > /etc/hostname
+hostname -F /etc/hostname
+
+cat > /etc/named.conf <<EOF
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// See the BIND Administrator's Reference Manual (ARM) for details about the
+// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
+
+acl "trusted" {
+	${PRIVATE_IP};
+	${MASTER_IP};
+	${JUMP_IP};
+};
+
+options {
+	listen-on port 53 { 127.0.0.1; ${PRIVATE_IP}; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { trusted; };
+
+	/*
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
+	   recursion.
+	 - If your recursive DNS server has a public IP address, you MUST enable access
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface
+	*/
+	recursion yes;
+	allow-transfer { none; };
+
+    forwarders { ${FORWARDER}; };
+
+	dnssec-enable no;
+	dnssec-validation no;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+include "/etc/named/named.conf.local";
+EOF
+
+cat > /etc/named/named.conf.local <<EOF
+zone "${DOMAIN_NAME}" {
+	type slave;
+	file "/etc/named/zones/db.${DOMAIN_NAME}";
+	masters { ${MASTER_IP}; };
+};
+EOF
+
+if [ ! -d /etc/named/zones ]; then
+	mkdir /etc/named/zones
+fi
+
+named-checkconf
+
+systemctl restart named
+systemctl enable named
+
+exit 0
+
diff --git a/images/install_bind_centos.sh b/images/install_bind_centos.sh
new file mode 100644
index 0000000..31e1751
--- /dev/null
+++ b/images/install_bind_centos.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sudo yum clean all
+sudo yum update -y
+sudo yum clean all
+sudo sudo yum install -y bind bindutils
+
diff --git a/images/install_bind_ubuntu.sh b/images/install_bind_ubuntu.sh
new file mode 100644
index 0000000..1992501
--- /dev/null
+++ b/images/install_bind_ubuntu.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+sudo apt-get update
+sudo apt-get -y upgrade
+sudo apt-get install -y bind9 bind9utils bind9-doc
+
diff --git a/images/move_files.sh b/images/move_files.sh
new file mode 100644
index 0000000..55dba45
--- /dev/null
+++ b/images/move_files.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo chmod +x /tmp/*.sh
+sudo mv /tmp/*.sh /usr/bin/
+
diff --git a/images/ns_template_centos.json b/images/ns_template_centos.json
new file mode 100644
index 0000000..0ceed4b
--- /dev/null
+++ b/images/ns_template_centos.json
@@ -0,0 +1,36 @@
+{
+    "variables": {
+        "source_ami_id": "ami-e1496384",
+        "aws_region": "us-east-2"
+    },
+    "builders": [
+        {
+            "type": "amazon-ebs",
+            "ami_name": "heptio-dns-centos-{{timestamp}}",
+            "instance_type": "t2.micro",
+            "source_ami": "{{user `source_ami_id`}}",
+            "ssh_username": "centos"
+        }
+    ],
+    "provisioners": [
+        {
+            "type": "file",
+            "source": "config_master.sh",
+            "destination": "/tmp/config_master.sh"
+        },
+        {
+            "type": "file",
+            "source": "config_slave.sh",
+            "destination": "/tmp/config_slave.sh"
+        },
+        {
+            "type": "shell",
+            "script": "install_bind_centos.sh"
+        },
+        {
+            "type": "shell",
+            "script": "./move_files.sh"
+        }
+    ]
+}
+
diff --git a/images/ns_template_ubuntu.json b/images/ns_template_ubuntu.json
new file mode 100644
index 0000000..30a62e0
--- /dev/null
+++ b/images/ns_template_ubuntu.json
@@ -0,0 +1,26 @@
+{
+    "builders": [
+        {
+            "type": "amazon-ebs",
+            "ami_name": "heptio-dns-ubuntu{{timestamp}}",
+            "instance_type": "t2.micro",
+            "source_ami_filter": {
+                "filters": {
+                    "virtualization-type": "hvm",
+                    "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
+                    "root-device-type": "ebs"
+                },
+                "owners": ["099720109477"],
+                "most_recent": true
+            },
+            "ssh_username": "ubuntu"
+        }
+    ],
+    "provisioners": [
+        {
+            "type": "shell",
+            "script": "install_bind_ubuntu.sh"
+        }
+    ]
+}
+
diff --git a/infra/dns.tf b/infra/dns.tf
new file mode 100644
index 0000000..f1fb78b
--- /dev/null
+++ b/infra/dns.tf
@@ -0,0 +1,49 @@
+variable "dns_ami" {}
+
+resource "aws_security_group" "dns" {
+  name   = "dns"
+  vpc_id = "${var.vpc_id}"
+
+  ingress {
+    from_port   = 53
+    to_port     = 53
+    protocol    = "TCP"
+    cidr_blocks = ["${data.aws_vpc.existing.cidr_block}"]
+  }
+  ingress {
+    from_port   = 53
+    to_port     = 53
+    protocol    = "UDP"
+    cidr_blocks = ["${data.aws_vpc.existing.cidr_block}"]
+  }
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "TCP"
+    cidr_blocks = ["${data.aws_vpc.existing.cidr_block}"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["${data.aws_vpc.existing.cidr_block}"]
+  }
+}
+
+resource "aws_instance" "dns_server" {
+  count                       = 2
+  ami                         = "${var.dns_ami}"
+  instance_type               = "t2.micro"
+  subnet_id                   = "${var.primary_subnet}"
+  vpc_security_group_ids      = ["${aws_security_group.dns.id}"]
+  key_name                    = "${var.key_name}"
+  tags {
+    Name = "dns"
+  }
+}
+
+output "dns_server_ip" {
+  value = "${aws_instance.dns_server.*.private_ip}"
+}
+
diff --git a/infra/main.tf b/infra/main.tf
new file mode 100644
index 0000000..7d21653
--- /dev/null
+++ b/infra/main.tf
@@ -0,0 +1,13 @@
+variable "key_name" {}
+variable "vpc_id" {}
+
+data "aws_vpc" "existing" {
+    id = "${var.vpc_id}"
+}
+
+variable "primary_subnet" {}
+
+provider "aws" {
+    version = "1.14.1"
+}
+
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
new file mode 100644
index 0000000..690124e
--- /dev/null
+++ b/terraform.tfvars.example
@@ -0,0 +1,10 @@
+// AWS key pair name for which you have the private key
+key_name = ""
+
+// ID of VPC and subnet to deploy DNS servers to
+vpc_id = ""
+primary_subnet = ""
+
+// The image ID that is generated by your packer build
+dns_ami = ""
+