Skip to content
OS Domains
Infrastructure · DNS authority and domain registrar

Domain registration and authoritative DNS for teams who need their nameservers in the same legal regime as their data

EU-sovereign domains and DNS means registering your domain through an EU-jurisdiction registrar and serving its authoritative DNS from EU-resident infrastructure — so the naming layer of your stack stays under EU law, not a US provider's. OS Domains integrates registration and authoritative DNS in one place, with DNSSEC, modern record types and anycast resolution, for teams that built an EU-sovereign architecture and do not want Cloudflare or Route 53 quietly undermining it at the DNS layer.

Most teams hand domain registration to whoever is cheapest and authoritative DNS to whoever the registrar bundles. The result: a US-based registrar holding your domain, US-based DNS resolving it, and a Cloud Act exposure path that defeats whatever EU sovereignty work you did on the application layer. We register your domains through EU-jurisdiction registrars and serve DNS from our own anycast network across 7 PoPs. DNSSEC, DANE, modern record types, full API, Terraform provider. Free tier for small zones, paid plans from €29 per month. Domains from €11 per year.

In short

  • Registration through an EU-jurisdiction registrar plus authoritative DNS served from EU-resident infrastructure — sovereignty down to the naming layer.
  • DNSSEC, the full set of modern record types, and anycast resolution with predictable behaviour under load.
  • Four tiers in fixed monthly euros: Free €0, Standard €29, Pro €99, plus custom Enterprise; registration billed at published TLD rates.
  • Honest comparison with Cloudflare DNS, Route 53 and dnscale.eu, including where each of them fits better.
  • Integrated with the rest of the stack, so registrar, DNS and sending sit under one EU entity instead of three vendors.
Sovereignty

Why does EU-sovereign DNS matter?

Most EU-sovereign architectures host the application and the data in the EU, then point the domain at Cloudflare or Route 53 for DNS — and the DNS provider, a US company, becomes the part of the stack outside EU jurisdiction. Every lookup of your domain runs through it. Moving authoritative DNS to EU-resident infrastructure closes that gap. It is the difference between a domain whose every lookup is answered by infrastructure under EU law and one whose answers come from a company subject to a foreign subpoena regime. The diagram contrasts the two.

Typical "EU sovereign" setup Application — EU Data — EU DNS — US provider (Cloudflare / Route 53) naming layer outside EU jurisdiction With EU-resident DNS Application — EU Data — EU DNS — EU-resident, DNSSEC naming layer under EU law

The sovereignty is checkable: the authoritative nameservers resolve to EU infrastructure, DNSSEC is signed, and the registrar of record is an EU entity:

$ dig +short NS yourdomain.eu
ns1.osdomains.eu.
ns2.osdomains.eu.
$ dig +dnssec +short yourdomain.eu | grep -c RRSIG
2
$ whois yourdomain.eu | grep -iE 'registrar|country'
Registrar: OS Domains GmbH
Country:   AT
Why this product exists

DNS is the layer where most "EU sovereign" architectures quietly fall apart

Most teams that care about EU data sovereignty go through a careful exercise: pick an EU cloud provider, contract with EU sub-processors, configure data residency in the right region, sign DPAs that say all the right things. Then they leave the domain registered at GoDaddy or Namecheap and the DNS resolved through Cloudflare or Route 53. The result is an architecture where the application data stays in the EU but the very first lookup that resolves your customer's browser to your application goes through US infrastructure governed by US law. The Cloud Act covers it. The application-layer EU sovereignty work was real but the DNS layer broke the seal.

This is not theoretical. The DNS resolution is where every connection starts. The records you publish (MX for mail, A and AAAA for web, CAA for certificate authority restrictions, TLSA for DANE, the DKIM and SPF and DMARC records that gate your email) all sit on whatever nameserver your domain points at. If that nameserver is operated by a US company, US authorities can compel changes to those records, US authorities can compel the operator to log queries (which reveals who is talking to your services), and US authorities can compel the registrar to transfer the domain itself if the legal grounds exist. None of this is hypothetical and all of it has happened.

For most workloads the risk is small enough that it does not matter. Cloudflare DNS is excellent infrastructure, Route 53 is operationally solid, and the Cloud Act exposure rarely results in actual harm to small commercial sites. We are not arguing that everyone needs to leave US-based DNS. We are arguing that for the workloads where EU sovereignty actually matters (regulated industries, journalism, EU public sector, anything with a real DPA review), the DNS layer needs to be on the same side of the line as the rest of the architecture. Otherwise the work you did at the application layer was theatre.

This is what we sell. Domain registration through EU-jurisdiction registrars (Gandi for .com and .net through their French operation, Hetzner for .de, EuroDNS for .lu and other niche TLDs, our own ICANN-accredited entity for newer gTLDs). Authoritative DNS hosted on our own anycast network across 7 PoPs (5 in EU plus optional UK, US, and Panama). DNSSEC, DANE, BIMI, all the modern record types you would expect. A REST API that does not require an enterprise contract to access. A Terraform provider that exists, works, and is maintained. And one contract in EUR for both products instead of three contracts across three providers.

Two things this is not. It is not a CDN. We do not do edge caching, we do not do origin shielding, we do not compete with Cloudflare on the ten things Cloudflare does that we do not. If you need a CDN, use a CDN. We integrate cleanly with bunny.net, KeyCDN, Fastly, and any other CDN that accepts an authoritative DNS pointer. It is also not a cheap consumer-grade product. The free tier exists for small zones (we like running infrastructure for the open source projects that need it) but the paid product is priced for serious operators, not domain hobbyists.

And the part that makes the rest of this page worth reading: we have been operating DNS authoritative infrastructure since 2008. The same anycast network that serves the email infrastructure half of our business serves the DNS half. The same engineers who tune our MTAs read our DNS query logs. The boring operational stuff (rolling DNSSEC keys, monitoring zone propagation, handling the occasional registry incident) gets done because the discipline of operating it is decades old at this point. The newer EU-managed DNS providers are operationally good but younger; we are operationally good and old.

One last note before the rest of the page. The DNS layer rewards conservative engineering. The right answer for almost everyone is "the same product everyone uses, configured the boring way, monitored properly". We are not trying to be exciting at the DNS layer. We are trying to be the kind of provider where you can forget about DNS for years at a time and just have it work. The exciting work happens at the application layer where it belongs; DNS should be a utility you stop thinking about. If you came here looking for clever DNS tricks, geo-routing magic, or anything that smells like a marketing demo, we may not be the most interesting vendor in the category. If you came here looking for a sovereign nameserver that resolves quickly and never breaks, we are exactly that.

Two products under one contract

Domain registration and authoritative DNS, integrated

These are sold as separate products because some customers need only one. They work better together because we control both layers and the registrar-to-DNS handoff that breaks at most providers does not exist with us.

Domain registration

Through EU-jurisdiction registrars only

We register domains through partner registrars that operate inside EU jurisdiction. Gandi (France) for .com, .net, .org and most generic TLDs. Hetzner (Germany) for .de. EuroDNS (Luxembourg) for niche TLDs. Our own ICANN-accredited operation for selected newer gTLDs and bulk operations where partner registrars flag bulk activity. WHOIS privacy is enabled by default where the TLD allows it. Domain transfers are handled cleanly: in or out, no friction, no retention games. Pricing is published list-rate plus a small markup for management overhead.

From €11 per year for .eu, .de, .fr, .se, .uk · €13 per year for .com, .net, .org

Authoritative DNS hosting

Anycast across 7 PoPs, DNSSEC and DANE included

Our anycast nameserver network is in the same 7 PoPs as our email and dedicated infrastructure: Vienna (HQ), Frankfurt, Amsterdam, London, Strasbourg, Dallas, Panama. EU sovereign tier serves only from EU PoPs for customers who need that. Global tier uses the full network for performance. DNSSEC is enabled on every zone by default. DANE/TLSA records supported. Modern record types including HTTPS, SVCB, CAA, BIMI. Free tier for small zones, paid plans from €29 per month with full API and Terraform provider.

Free for 5 zones · €29/mo for 50 zones · €99/mo for 250 zones · Custom for unlimited

When EU sovereign DNS earns its place

Six scenarios where the DNS layer matters as much as the application layer

Most teams do not need to think about DNS sovereignty because their threat model does not include the DNS layer. The scenarios below are the ones where it does matter and where the choice of nameserver provider has consequences beyond performance and price.

Scenario 01

Regulated industries with formal DPA reviews

Financial services, healthcare, public sector, insurance, anything where a Data Protection Officer reviews vendor architecture diagrams. The DPA review will ask where the DNS resolves and who operates the nameservers. "Cloudflare" or "Route 53" produces a Cloud Act flag that has to be addressed in the procurement notes. Choosing an EU-jurisdiction nameserver removes that flag entirely. The technical performance is the same; the contractual story is much cleaner.

Scenario 02

Journalism and political platforms

Your work draws adversarial attention from governments or large corporations. Adversaries with US influence can pressure US-based DNS providers. The DNS provider has the technical ability to redirect your domain elsewhere or stop resolving it; under sufficient legal pressure, they comply. Operating from EU jurisdiction means that pressure has to go through EU courts under EU due process, which is a meaningfully higher bar.

Scenario 03

Cold email agencies managing 50+ client domains

You operate dozens or hundreds of sending domains across your client book. Bulk registration at most registrars triggers anti-fraud holds, which interrupts client onboarding. Coordinating SPF, DKIM, DMARC, and CNAME records across multiple registrar-DNS handoffs is operational pain that compounds with each additional client. We handle bulk registrations without flagging and we manage the DNS authoritatively from one API. The pattern is well-documented from our cold email infrastructure customers.

Scenario 04

Multi-tenant SaaS with customer-domain features

Your product lets customers attach their own domain (custom domains for their landing pages, white-labeled URLs, vanity DNS). The integration involves your customers updating their DNS to point at your infrastructure, and the operational burden of supporting that across whatever registrar each customer uses is significant. With our DNS as the primary, customers can delegate a subdomain to us and you get programmatic control without touching their main DNS. Common pattern with white-label SaaS at €5M ARR and up.

Scenario 05

EU-only data residency for technical compliance

Your product makes a contractual commitment that customer data does not leave the EU. The application layer is on EU infrastructure, the database is in an EU region, the backups are in an EU region. The DNS query logs (which reveal traffic patterns, request volumes, and inferred user locations) are still on a US provider, which technically breaks the commitment. Moving DNS to an EU operator closes that gap and makes the contractual claim defensible under audit.

Scenario 06

DevOps teams treating infrastructure as code

Your DNS is checked into version control, applied via Terraform or DNSControl, deployed through CI/CD with reviewable pull requests. The provider needs to support this workflow as a first-class citizen, not as an afterthought tacked onto a web dashboard. Our Terraform provider is official, maintained, and covers every record type. The DNSControl integration works with the upstream project. The API is versioned, backwards-compatible, and documented with OpenAPI 3.0 spec. For teams running infrastructure-as-code disciplines, the difference between a DNS provider that supports this well and one that supports it grudgingly is significant operationally.

How we stack against the obvious alternatives

Direct comparison with Cloudflare DNS, Route 53, and dnscale.eu

A direct comparison at typical mid-market volumes (around 50 zones, 10 million queries per month). Pricing reflects published list rates as of early 2026.

Attribute OS Domains Cloudflare DNS AWS Route 53 dnscale.eu
Monthly price at 50 zones / 10M queries €29 (Standard plan) $20/mo per zone (Pro), so $1,000/mo for 50 zones $25/mo (50 zones at $0.50) + ~$4/mo queries €19 (Pro tier)
EU sovereign, no US parent in chain Yes, Austrian GmbH No, US company No, AWS US (Cloud Act applies) Yes, EU operator
DNSSEC enabled by default Yes, every zone Available, manual enable Available, manual enable Yes, every zone
Anycast network 7 PoPs (5 EU + UK + US + Panama) 330+ cities globally AWS edge locations globally EU + Global networks
Terraform provider, REST API Yes, both Yes, both Yes, both Yes, both
Domain registration bundled Yes, EU-jurisdiction registrars Yes, US-based Yes, US-based No, DNS only
Bulk registration without anti-fraud holds Yes, designed for it Limited, may flag Limited, may flag N/A (no registrar)
BIMI, DANE, TLSA support Yes, all three Partial (BIMI yes, DANE limited) Partial Yes, all three
What the DNS service actually supports

Which DNS record types and features are supported?

Our authoritative DNS supports the full set of modern record types — A, AAAA, CNAME, MX, TXT, SRV, CAA and DNSSEC — with anycast resolution and predictable behavior under load. Below is a complete list of what it supports and how it behaves. If a feature is on this list, it is implemented and tested in production. If something you need is not here, ask; we may have it on the roadmap or we may have decided it is out of scope.

01

Standard record types

  • A and AAAA records, full IPv4 and IPv6 support
  • CNAME with apex CNAME (ALIAS) emulation for naked-domain hosting
  • MX records with priority handling and DKIM key publishing
  • TXT records for SPF, DMARC, verification challenges, arbitrary use
  • NS records for delegation, including fully delegated subdomains
  • PTR records for reverse DNS (where you control the IP block)
  • SRV records for service discovery (XMPP, SIP, modern protocols)
02

Modern and security-focused record types

  • CAA records for certificate authority restrictions, supporting Let's Encrypt and commercial CAs
  • TLSA records for DANE (DNS-based Authentication of Named Entities)
  • DNSKEY, DS, RRSIG, NSEC3 for full DNSSEC support, all signing handled automatically
  • HTTPS and SVCB records (RFC 9460) for service binding and HTTPS optimization
  • BIMI records for brand indicators in supported mailbox providers
  • OPENPGPKEY and SMIMEA for cryptographic key publishing via DNS
  • CDS and CDNSKEY for automated DNSSEC key transition
03

Operational features

  • Multi-region anycast with health checks for primary failover
  • GeoDNS routing on Pro tier and above (responses based on resolver location)
  • Latency-based routing for traffic optimization across regions
  • Per-record TTL configuration with sensible defaults
  • Wildcard records for catch-all subdomain handling
  • Dynamic DNS via API for IP-changing endpoints
  • Zone import via AXFR or zone file upload
04

API and automation

  • Full REST API with OpenAPI 3.0 specification
  • Terraform provider, official, with full record-type coverage
  • DNSControl integration for declarative DNS management
  • octoDNS provider for migration and multi-provider scenarios
  • Webhooks for record changes and zone events
  • API key with per-zone scoping for multi-tenant use
  • CLI tool for scripted zone management
Pricing — DNS hosting plans

How much does EU DNS hosting cost?

DNS plans are €0 (Free), €29 (Standard) and €99 (Pro), plus custom Enterprise. Pricing is per organization, not per zone. Domain registration is billed separately at published TLD rates. The Free tier exists because we want infrastructure for small zones to be available without friction; it is not a sales funnel for upselling.

Free

For small zones, personal projects, open-source infrastructure.

€0 / month

Self-service signup, instant

Ideal for

Personal sites, hobbyist projects, open-source projects, anyone with under 1M DNS queries per month.

  • 5 zones maximum
  • 1,000,000 queries per month
  • EU-only anycast (5 EU PoPs)
  • DNSSEC enabled by default
  • Modern record types (CAA, TLSA, HTTPS, SVCB)
  • Web dashboard
  • REST API access
  • Community support (forum)
Start free
Most chosen

Standard

For mid-size operations needing serious DNS at sensible price.

€29 / month

Live in minutes after signup

Ideal for

SaaS at €1-10M ARR, agencies with under 50 client domains, teams graduating from Cloudflare Pro for sovereignty reasons.

  • 50 zones
  • 50,000,000 queries per month
  • EU + Global anycast (all 7 PoPs)
  • DNSSEC, DANE, BIMI included
  • Terraform provider, DNSControl integration
  • 99.99% uptime SLA
  • Email support, 8h business response
  • Above-quota: €0.40 per million queries
Subscribe to Standard

Pro

For mid-to-large operations needing GeoDNS, failover, advanced traffic shaping.

€99 / month

Live in minutes after signup

Ideal for

SaaS at €10-50M ARR, agencies running 50-200 client domains, multi-region applications needing GeoDNS or latency-based routing.

  • 250 zones
  • 250,000,000 queries per month
  • GeoDNS responses based on resolver region
  • Latency-based routing across PoPs
  • Multi-region failover with health checks
  • Per-zone API tokens with scoped access
  • Webhook delivery for record changes
  • Email and chat support, 4h business response
  • Above-quota: €0.30 per million queries
Subscribe to Pro

Enterprise

For larger operations needing signed SLAs, custom anycast, dedicated support.

Custom annual

Onboarding 5 to 10 business days

Ideal for

Large SaaS, regulated industries, agencies past 200 client domains, anyone requiring formal SLA with service credits.

  • Unlimited zones
  • Unlimited queries (no overage)
  • Custom anycast configurations
  • Dedicated query analytics dashboard
  • Multi-region zone replication
  • Signed SLA with service credits
  • Named technical account manager
  • Slack Connect direct line
  • 1-hour incident response SLA, 24/7
Talk to sales

Domain registration is billed separately at published TLD rates: €11/year for .eu, .de, .fr, .se, .uk and €13/year for .com, .net, .org. Bulk discounts available for 50+ domains. Above-quota DNS queries billed monthly at the rate shown per tier. Annual prepay on paid DNS plans saves 15%. The Free tier has no time limit and no requirement to upgrade.

Domain registration — supported TLDs and rates

EU-jurisdiction registrars, transparent rates

Below are the TLDs we register most commonly. For TLDs not on this list, ask. We can register through partner registrars for nearly any TLD that exists, with the only exclusions being TLDs in jurisdictions we have policy reasons to avoid (typically registries with poor abuse handling or unreliable operations). Pricing is at-cost passthrough plus a small management fee.

TLD Price Registrar Notes
.com €13 per year Gandi (France) Most common, full WHOIS privacy available
.net €13 per year Gandi (France) Technical infrastructure standard
.org €13 per year Gandi (France) Non-profit and educational organizations
.eu €11 per year EURid (Belgium) EU residency required, strong legal protection
.de €11 per year Hetzner (Germany) German market, DENIC standards
.at €13 per year nic.at (Austria) Austrian market, our home jurisdiction
.fr €11 per year Gandi (France) French market, AFNIC
.se €11 per year Internetstiftelsen (Sweden) Nordic market, Schrems II safe
.uk / .co.uk €11 per year Nominet (UK) UK market, post-Brexit jurisdiction
.io €39 per year Gandi (France) Tech startups, premium TLD
.dev / .app €18 per year Gandi (France) HTTPS-only TLDs, tech audience
.es €11 per year Gandi (France) Spanish market
.ch / .li €19 per year Gandi (France) Swiss market, strong privacy law
Real questions from DevOps leads and procurement

What buyers ask before they sign

Why would we leave Cloudflare DNS? It is free and excellent.

For most teams, you would not. Cloudflare is genuinely excellent infrastructure and the free tier is one of the best deals on the internet. We win in two specific scenarios. First: when EU sovereignty is a real requirement, not just a preference. Cloudflare is a US company and the Cloud Act applies regardless of which datacenter your zone happens to be served from. Second: when you need domain registration and DNS under one EU-jurisdiction contract, which Cloudflare provides only through their US registrar. If neither applies, Cloudflare is a fine choice and we will tell you that on a discovery call.

How does the migration from Cloudflare or Route 53 actually work?

Standard zone transfer process. You export your zone from the current provider (AXFR transfer or zone file export, both work), import into our system via API or web upload, verify the records, then update the NS records at your registrar to point at our nameservers. Propagation typically completes within an hour for most resolvers, 24 hours for the long-tail caches. The records continue serving from the old provider during propagation, so there is no downtime. We help with the migration on the Standard tier and above, no extra fee. For complex migrations involving GeoDNS or unusual record types, we do a parallel-run validation period of 7 days where the old and new are both authoritative for verification before final cutover.

Do you handle domain transfers in and out without friction?

Yes, both directions, no retention games. Transfers in: provide the auth code from your current registrar, we initiate the transfer, completion typically takes 5 to 7 days per ICANN policy. Transfers out: request the auth code from us via dashboard or support ticket, we provide it within 24 hours, you initiate the transfer at the receiving registrar. We do not lock domains, we do not require upgraded support to release auth codes, we do not charge transfer-out fees beyond the ICANN-mandated minimum. Domain ownership belongs to the customer, not the registrar; we treat it that way.

How does DNSSEC work? Do we have to manage it ourselves?

DNSSEC is enabled on every zone by default and we manage it for you. Key generation, KSK and ZSK rotation on the standard schedule, automatic signing of all record types, NSEC3 with opt-out for performance. The DS record gets published to the parent zone (the registry) automatically when you register through us; for domains registered elsewhere, we provide the DS record value and you publish it at your registrar. Key rotations happen on a documented schedule with overlap to avoid validation failures. The complexity of DNSSEC is real but we handle it operationally; you get the security benefit without the management overhead.

What happens if your DNS infrastructure has an outage?

Anycast architecture means a single PoP failure does not affect resolution; resolvers fail over to other PoPs automatically. A coordinated multi-PoP failure (the kind that has hit even Cloudflare and Route 53 historically) is rare but possible. For customers who want belt-and-suspenders redundancy, we support secondary DNS configurations where you run a second authoritative DNS provider in parallel (we recommend dnscale.eu for EU-only secondary or PowerDNS-based open-source on your own infrastructure). The dual-primary configuration uses standard zone transfers and means a complete OS Domains DNS outage would not take your records offline. Most customers do not bother because the primary infrastructure has been reliable, but the option exists.

Can we use you as secondary DNS only, with our existing provider as primary?

Yes. Hidden master configurations work cleanly: your primary stays where it is, we receive zone transfers via AXFR/IXFR and serve as secondary nameservers. This is common for customers who want to add EU sovereign secondary to a US-primary setup, or for customers who want geographic redundancy across providers. Secondary-only pricing is the same as primary; we do not discount secondary because the operational cost is the same on our side. The arrangement is documented in zone transfer authorizations and works with Cloudflare, Route 53, NS1, BIND, PowerDNS, and any other authoritative DNS implementation that supports standard zone transfer protocols.

How does bulk registration work? Can we register 100 domains at once?

Yes, designed for it. The bulk registration workflow accepts a list of domains via API or CSV upload, runs availability checks, processes registrations in batch, and configures DNS records from a template. Common patterns we see: 50 to 200 domains for cold email agency client onboarding, 20 to 50 brand-protection registrations for a single business launching a new product line, 100+ domains for SaaS customers offering custom domains as a product feature. Bulk pricing applies at 50+ domains: 5% off list rate. At 200+ domains: 10% off. We have processed individual customer batches up to 800 domains without flagging issues at the registrar level.

What about the new gTLDs (.app, .dev, .io, etc.)?

We register most of them. Some examples: .io, .dev, .app, .ai, .co, .tech, .design, .software, .blog. The pricing varies significantly by TLD because the underlying registry rates vary. Pricing is at-cost passthrough plus our standard management fee, with no hidden markups. The handful of newer TLDs we do not register are typically those with poor abuse handling on the registry side or pricing instability. If you need a TLD not on our list, ask; we may register it through a different partner registrar specifically for your case.

Do you support the more obscure DNS features like CDS, CDNSKEY, OPENPGPKEY?

Yes, all three are supported on every tier including Free. CDS and CDNSKEY automate DNSSEC key transition (you publish the new KSK in CDS/CDNSKEY records, the parent zone picks it up automatically, no manual DS update at the registrar). OPENPGPKEY publishes PGP public keys via DNS for email cryptographic verification. SMIMEA does the same for S/MIME certificates. These are not the most-requested features but the senders who care about them tend to care a lot, and supporting them costs us almost nothing operationally so we do.

Does the Free tier have hidden catches?

No. The Free tier is genuinely free, with no time limit and no upgrade pressure. The limitations are the published ones: 5 zones, 1M queries per month, EU-only anycast, community support. If you exceed those limits, your zones are not silently degraded; we email you, you have 30 days to upgrade or reduce usage, then queries beyond the limit are rate-limited but not refused. We run the Free tier because EU sovereign DNS at the entry level should not require a payment to access, and because we believe infrastructure for small projects should be available without friction. The Free tier is funded by the paid tiers; that is the whole funding model, and there is no premium feature held back specifically to push upgrades.

How does your pricing scale at very high query volumes?

Pro tier covers up to 250 million queries per month. Above that, Enterprise pricing kicks in and the per-query rate drops significantly. Customers running billions of queries per month (large SaaS, popular consumer apps) pay roughly €0.10 per million queries on annual contracts, which is comparable to AWS Route 53 list pricing without the AWS-specific friction. We do not publish Enterprise pricing because the negotiation depends on volume commitment, contract length, and additional services. The discovery call covers it.

Can we use you as registrar for domains that have DNS hosted elsewhere?

Yes. Registrar and DNS are separate products and there is no requirement to use both together. Some customers use us as registrar (for the EU-jurisdiction registration) and run DNS on their own BIND or PowerDNS infrastructure, or on dnscale.eu, or even on Cloudflare for the CDN integration. The registration product gives you the right to specify any nameservers; we are not in the business of forcing DNS bundling. Same the other direction: customers can run DNS with us with domains registered at any other registrar, as long as the registrar lets them set custom NS records (which all reputable registrars do).

What is your stance on WHOIS privacy and the GDPR fallout from it?

WHOIS privacy is enabled by default on every domain we register where the TLD allows it. The post-GDPR landscape is uneven: gTLDs (.com, .net, .org, etc.) implement WHOIS privacy via redaction protocols that vary by registrar, ccTLDs vary by country (some redact aggressively, some not at all). For domains where privacy is not implemented at the registry level, we do not publish customer details beyond what is legally required, which usually means a registrar contact rather than the customer. Subpoena requests for WHOIS data go through proper legal process; we do not respond to copyright-cease-and-desist letters or template phishing attempts asking for customer details.

How do anycast outages or partial network failures affect DNS resolution?

Anycast routing is designed to survive partial failures. When a PoP becomes unreachable, BGP withdrawal causes resolvers to fail over to the next-closest PoP automatically, typically within seconds. The customer impact is usually limited to a brief latency increase on resolution rather than actual lookup failures. We monitor each PoP independently and we have automated alerting that fires within 30 seconds of degraded service. Historical PoP-level events have lasted under 15 minutes in 2025 and resolved without customer impact thanks to anycast failover. The architecture is designed assuming PoPs will occasionally fail; the failure mode is not "global outage", it is "local performance dip".

Do you support delegation to subdomains hosted elsewhere?

Yes, fully. NS records on any subdomain delegate that subdomain to whatever nameservers you specify, and we handle the parent zone authoritatively while letting the subdomain be served from elsewhere. Common use cases: dev.example.com hosted on a cloud DNS service for the development team, status.example.com delegated to Statuspage, branded subdomains delegated to SaaS providers that need to control their CNAME chains. The delegation works with full DNSSEC chain-of-trust if the subdomain provider supports DNSSEC, which most modern providers do. Glue records are supported for delegations that need them.

What about email-related records — MX, SPF, DKIM, DMARC, BIMI, MTA-STS?

All supported, all handled cleanly. MX records with proper priority handling. SPF as TXT records with our auto-flattening tool that helps stay under the 10-lookup limit. DKIM with TXT records up to the maximum length supported by major mailbox providers. DMARC as TXT with proper rua and ruf addressing. BIMI as TXT with VMC integration if you have one. MTA-STS via the special _mta-sts.example.com TXT record plus the well-known HTTPS endpoint (which we serve from our infrastructure if you want, or we just publish the DNS records and you serve the endpoint yourself). For customers also using our /managed-dmarc product, the integration is automatic; the DMARC records, the rua addressing, the report aggregation, all configured through one workflow.

How does the registrar selection work? Can we choose which registrar handles our domain?

For most TLDs, the registrar choice is determined by the TLD itself: .de is registered through Hetzner because they have the best operational footprint with DENIC, .com is registered through Gandi because their EU operation handles the gTLDs cleanly, .se is registered through Internetstiftelsen as the official Swedish registry for .se. For TLDs with multiple registrar options, you can specify a preference during registration. The default is whichever partner registrar gives us the cleanest operational pattern (least anti-fraud friction, best abuse handling, best support response time). If your procurement requires registration through a specific registrar that we do not currently use, we can usually accommodate, with the caveat that adding a new partner registrar takes 4 to 6 weeks to set up properly.

What happens to our domains if we cancel the DNS subscription but keep the registration?

Domain registration and DNS hosting are billed separately and can be cancelled independently. If you cancel DNS and keep registration, your zones move from our nameservers to whatever you specify; the registration continues at the registrar. If you cancel registration and keep DNS, the domain expires at the end of its current period unless you transfer it to another registrar before then; the DNS continues to serve the records. We send 30, 60, and 90 day reminders before any expiration event. Auto-renewal is opt-in, not the default; we believe customers should make active decisions about their domain renewals rather than discover charges after the fact.

Are you ICANN accredited?

Yes, our Austrian GmbH holds ICANN accreditation for the gTLDs we register directly. For TLDs we register through partner registrars (most ccTLDs and some specialty gTLDs), the partner registrar holds the accreditation and we are a reseller. The customer-facing experience is the same regardless of accreditation path; the difference matters mostly for transparency and for bulk-registration thresholds. Customers needing direct ICANN-accredited registration for compliance reasons can specify that during onboarding and we route the registrations through our directly-accredited path.

What is the difference between us and deSEC, the German non-profit DNS provider?

deSEC is excellent infrastructure operated as a non-profit by SSE in Germany. The service is genuinely free, fully open-source, and operationally serious. We are not a non-profit and we are commercial; the difference matters in three ways. First: SLA. deSEC does not offer signed SLAs because they are non-profit and cannot make those commitments responsibly; we do, with service credits, on Standard tier and above. Second: domain registration. deSEC is DNS only; we offer registration as part of the same contract. Third: support response time. deSEC support is community-driven and best-effort; ours is contractual with documented response windows. For pure free DNS hosting on hobby projects, deSEC is genuinely a great choice and we will tell you that. For anything requiring an SLA or a registrar relationship, we are the better fit.

How do you handle DNS-based DDoS attacks against our zones?

Volumetric DNS amplification attacks against authoritative nameservers are common and we are configured to absorb them. The anycast architecture distributes attack traffic across PoPs, each PoP has overprovisioned capacity for query handling, and our upstream providers have additional DDoS scrubbing available for sustained large-scale events. Most attacks resolve themselves within minutes because the anycast architecture makes single-PoP attacks ineffective; the attacker would need to target every PoP simultaneously, which is logistically harder and economically less attractive. For customers who experience sustained targeted attacks, we can coordinate additional upstream filtering at no extra cost on Pro and Enterprise tiers.

Should order confirmations and marketing use the same domain?

No. Keep transactional mail on its own subdomain with its own DKIM key and DMARC policy, separate from the subdomain that carries marketing. A promotional send that draws complaints damages the reputation of whatever domain sent it, and sharing that domain with order confirmations means the confirmation a customer is waiting for inherits the damage for weeks. The separation costs an afternoon of DNS work and a second DKIM selector, and it protects the mail that cannot afford to miss the inbox.

Three ways to start

Free tier exists, paid plans take a credit card

For Free tier, sign up directly and you are running in minutes. For paid DNS plans, the same self-service flow works with a card payment. For domain registration, the registration form takes you through TLD selection and registrar choice. For Enterprise tier or for migrations involving complex zone configurations, the discovery call is the right starting point.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment