For slave DNS I’m using this approach: I have two separate small VPS, that are only acting as Slave DNS and nothing else. All other Hestia Servers (actual web/mail servers) point to those two Slave DNS servers. The SOA record is on the server that is hosting the site or email. When I need to set authoritative Name Servers on the registrar I set:
- Web/Email Server name/IP
- Slave DNS1 name/IP
- Slave NDS2 name/IP
I tried setting only SlaveDNS1 and SlaveDNS2 to the registrar (so I wouldn’t need to make changes to the registrars when moving domains between different hosting servers), but that wasn’t the perfect solution, because the SOA record was on the Web/Email server and that lead to complains from DNS checkers like https://intodns.com/
The approach of having SlaveDNS act as primary (and only NS servers) and the web/mail server be in Slave DNS mode, would not work out at all in the case of wildcard LE Certificate and automatic creation of records like DKIM, etc. So I guess the primary NS needs to be on the hosting server, to avoid future trouble.