diff --git a/cfg.go b/cfg.go
index 36b6d48..d75a96e 100644
--- a/cfg.go
+++ b/cfg.go
@@ -22,4 +22,7 @@ const (
 	cfgNftMapV6       = "tele6"
 	cfgNftCidrV4      = "251.0.0.0/8"
 	cfgNftCidrV6      = "2001:db8:11::/48"
+
+	cfgSoaNs   = "gw.vpn."
+	cfgSoaMbox = "dns.gw.vpn."
 )
diff --git a/dns-api.go b/dns-api.go
index a74633a..fcba51f 100644
--- a/dns-api.go
+++ b/dns-api.go
@@ -5,12 +5,14 @@ package main
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/miekg/dns"
@@ -312,6 +314,22 @@ func dnsApi_lookup(r *PowerDnsJsonRequest) (interface{}, error) {
 }
 
 func dnsApi_lookup_int(qname string, qtype uint16) (interface{}, error) {
+	if qtype == dns.TypeSOA {
+		return []PowerDnsAnswer{
+			{
+				Qname: qname,
+				Qtype: dns.TypeToString[qtype],
+				Ttl:   cfgTtlMax,
+				Content: fmt.Sprintf("%v %v %v %v %v %v %v",
+					// ns mbox serial
+					cfgSoaNs, cfgSoaMbox, time.Now().Unix(),
+					// refresh retry expire minttl
+					cfgTtlMax/2, cfgTtlMax, cfgTtlMax*2, cfgTtlMin,
+				),
+			},
+		}, nil
+	}
+
 	resp, err := dnsCustomResolve(qname, qtype)
 	if err != nil {
 		return nil, err