diff --git a/roles/dns/master/defaults/main.yml b/roles/dns/master/defaults/main.yml
index ed0f27c..8a1e684 100644
--- a/roles/dns/master/defaults/main.yml
+++ b/roles/dns/master/defaults/main.yml
@@ -19,3 +19,5 @@ refresh: 86400
 retry: 7200
 expire: 3600000
 ttl: 172800
+
+dname_subdomain: "external" # Must not contain the base domain, can be used to allow ignoring local overrides on purpose, will be ignored if empty
diff --git a/roles/dns/master/templates/zone.db b/roles/dns/master/templates/zone.db
index 438f3bb..e867180 100644
--- a/roles/dns/master/templates/zone.db
+++ b/roles/dns/master/templates/zone.db
@@ -10,4 +10,8 @@ $TTL 86400
 ; Certification Authority Authorization
 @ IN CAA 0 issue "letsencrypt.org"
 
+{% if dname_subdomain | length > 0 %}
+{{ dname_subdomain }} IN DNAME @
+{% endif %}
+
 {{ entries }}