diff --git a/deployments/dns/bind.yaml b/deployments/dns/bind.yaml
index a9f6c49..096876b 100644
--- a/deployments/dns/bind.yaml
+++ b/deployments/dns/bind.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: dns
+  name: bind9
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -79,7 +79,7 @@ data:
     
     zone "hxme.net" {
         type slave;
-        masters { bind-master.bind9.svc.cluster.local key bind-slave-key; };
+        masters { bind-master.dns.svc.cluster.local key bind-slave-key; };
         file "slaves/db.hxme.net";
     };
 ---
@@ -99,20 +99,20 @@ spec:
         app: bind-master
     spec:
       securityContext:
-        fsGroup: 999              # allow group access to volumes for named user
+        fsGroup: 999
       initContainers:
         - name: fetch-root-hints
           image: curlimages/curl:latest
           command:
             - sh
             - -c
-            - |
-              curl -sfSL https://www.internic.net/domain/named.cache -o /usr/share/dns/root.hints
-              # hold container open for debug (optional)
-              # tail -f /dev/null
+            - >
+              while true ; do sleep 3600 ; done
+
           volumeMounts:
-          - mountPath: /usr/share/dns
+          - mountPath: /hints
             name: root-hints
+
       containers:
         - name: bind-master
           image: internetsystemsconsortium/bind9:9.18
@@ -135,7 +135,7 @@ spec:
           - name: bind-cache
             mountPath: /var/cache/bind
           - name: bind-rundir
-            mountPath: /var/run/named
+            mountPath: /run/named
           - name: root-hints
             mountPath: /usr/share/dns
       volumes:
@@ -143,5 +143,89 @@ spec:
           secret:
             secretName: dns-secrets
         - name: config
-          conf
+          configMap:
+            name: bind-master-config
+        - name: bind-cache
+          emptyDir: {}
+        - name: bind-rundir
+          emptyDir: {}
+        - name: root-hints
+          emptyDir: {}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: bind-slave
+  namespace: dns
+spec:
+  selector:
+    matchLabels:
+      app: bind-slave
+  template:
+    metadata:
+      labels:
+        app: bind-slave
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      securityContext:
+        fsGroup: 999
+      containers:
+      - name: bind9
+        image: internetsystemsconsortium/bind9:9.18
+        ports:
+        - containerPort: 53
+          protocol: UDP
+        - containerPort: 53
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /etc/bind/named.conf
+          subPath: named.conf
+        - name: bind-slave-key
+          subPath: tsig-key.conf
+          mountPath: /etc/bind/tsig-key.conf
+      volumes:
+      - name: config
+        configMap:
+          name: bind-slave-config
+      - name: bind-slave-key
+        secret:
+          secretName: bind-slave-key
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind9
+  namespace: dns
+spec:
+  type: LoadBalancer
+  selector:
+    app: bind-slave
+  ports:
+    - name: dns-udp
+      port: 53
+      targetPort: 53
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      targetPort: 53
+      protocol: TCP
 
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name:      bind-master
+  namespace: dns
+spec:
+  type: ClusterIP
+  selector:
+    app: bind-master
+  ports:
+    - name: dns-udp
+      port: 53
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      protocol: TCP