Anycast resolution
Authoritative responses from nearest edge node. EU, North America, Asia-Pacific, South America anycast presence. Typical p99 latency 30-80ms globally.
RECURRING | ANYCAST + DNSSEC | 99.99% SLA | EUR 59/MONTH
Authoritative DNS on global anycast with DNSSEC, query analytics, DDoS mitigation built in, and 99.99% SLA backed by service credits.
Authoritative DNS on global anycast with DNSSEC, query analytics, DDoS mitigation built in, and 99.99% SLA backed by service credits.
25 zones, 5M queries per zone monthly, REST API plus Terraform provider, EU-only or global data residency per zone.
Registrar-bundled DNS typically runs unicast from one or two geographic locations; users on other continents experience 200-400ms DNS resolution latency that compounds into perceived page load slowness. Anycast distributes the same IP across multiple geographic edge nodes so users hit the nearest node within 30-80ms typically. The FitGap February 2026 managed DNS comparison documents this as the primary operational driver for upgrading from registrar DNS. Registrar-bundled DNS rarely offers contractual uptime guarantees beyond marketing language; managed DNS operators publish 99.99% or 100% SLAs with service credit policies and bake DDoS mitigation into the anycast infrastructure because absorbing attacks is a structural part of running anycast at scale.
DNS Hosting Managed operates authoritative DNS hosting for your zones on global anycast network. Up to 25 zones hosted on anycast nameservers with edge presence in EU, North America, Asia-Pacific, and South America. DNSSEC available per zone with managed key lifecycle (ZSK rotates 30 days, KSK rotates annually). Full record type support including modern types (HTTPS/SVCB per RFC 9460, TLSA for DANE, CAA for certificate authority constraints). 99.99% SLA with documented service credit policy. DDoS mitigation built into anycast layer. Query analytics per zone covering volume, latency, resolver subnet distribution. REST API and Terraform provider for infrastructure-as-code. Role-based access control with audit logging. EU-only residency option for GDPR posture or global anycast for performance-first operations, configurable per zone. EUR 59 per month covering up to 25 zones and 5 million queries per zone per month combined.
Monthly price EUR 59
Zones Up to 25
SLA 99.99%
Anycast edge 4 regions
Three subscription tiers matching different operational profiles.
The Standard tier covers most operations. Premium adds secondary DNS for 100% availability through architectural redundancy. Enterprise covers high-volume operations beyond the standard 5M queries per zone monthly.
| Feature | Standard | Premium | Enterprise |
|---|---|---|---|
| Monthly price (EUR) | 59 | 119 | quoted |
| Zones included | Up to 25 | Up to 50 | Unlimited |
| Queries per zone per month | 5 million | 25 million | Custom |
| SLA | 99.99% | 100% (via secondary DNS) | 100% with custom credit policy |
| Secondary DNS failover | Available add-on EUR 49/month | Included | Included |
| DNSSEC | Per-zone enable, managed lifecycle | Per-zone enable, managed lifecycle | Custom algorithm support |
| DDoS mitigation | Anycast-layer absorption | Anycast + dedicated scrubbing tier | Custom dedicated capacity |
| Query analytics retention | 90 days | 365 days | Custom |
| API rate limits | 1,000 req/min | 5,000 req/min | Custom |
| Support response time | 12 hours | 2 hours | 15 minutes with on-call |
Add-ons available across all tiers: Geo/latency traffic steering (EUR 29/month per zone), DNS health check failover (EUR 19/month per record), GeoIP routing analytics (EUR 19/month), custom anycast PoP deployment (quoted).
The structural difference between registrar DNS and managed anycast DNS.
DNS hosting is the part of the infrastructure stack most operations think about least. Domain registered at registrar X, DNS configured through registrar X dashboard, change a record when needed, never look at it otherwise. The pattern works for low-volume low-stakes operations. The pattern produces predictable problems for higher-volume operations where DNS performance and availability become operationally consequential.
The first problem is latency. Registrar-bundled DNS typically runs from one or two geographic locations. GoDaddy DNS runs primarily from US data centres. Namecheap DNS runs primarily from US East. European registrars run primarily from European data centres. When a user in Singapore queries a domain hosted on unicast US DNS, the resolver-to-authoritative round-trip takes 200-300ms even before the actual DNS response gets returned. The latency compounds into perceived page load slowness because DNS resolution happens before any HTTP request, before TLS handshake, before content delivery. Anycast distributes the same IP across multiple geographic edge nodes so the query routes to the nearest location: Singapore user hits Singapore anycast node typically within 30-80ms.
The second problem is SLA. Registrar-bundled DNS rarely offers contractual uptime guarantees beyond marketing language. When something goes wrong (DDoS attack, routing change, internal outage), users experience DNS resolution failures and the registrar has no contractual obligation beyond best-effort. The FitGap February 2026 managed DNS comparison documents this gap explicitly: registrar-bundled DNS is single-region, lacks health-check failover, and offers no contractual uptime guarantee. Managed DNS operators publish 99.99% or 100% SLAs with service credit policies and bake DDoS mitigation into the anycast infrastructure. Service credits for SLA breaches keep the operator accountable; marketing language alone does not.
The third problem is DNSSEC. DNSSEC provides cryptographic verification that DNS responses have not been tampered with in transit. Required for DANE deployment, recommended for compliance posture, mandated by some regulatory frameworks (BSI TR-03108 for German federal email security, certain ICANN registry policies for high-trust zones). Many registrar-bundled DNS plans do not support DNSSEC. Some support it but require manual key management that operators rarely execute correctly. Managed DNS providers support DNSSEC with automated key lifecycle: ZSK rotation every 30 days, KSK rotation annually with DS record coordination at registry. The automation removes the operational barrier that keeps DNSSEC adoption low.
The fourth problem is modern record types. The DNS ecosystem continues evolving. HTTPS and SVCB record types (RFC 9460) deployed in 2024-2025 enable encrypted DNS resolution and protocol selection at the DNS layer rather than requiring TLS handshake first. TLSA records for DANE enable TLS certificate binding to DNS for email and HTTPS security. CAA records constrain which certificate authorities can issue certificates for your domain. Modern DNS operations deploy these record types as part of baseline security posture. Many registrar-bundled DNS plans do not support HTTPS, SVCB, or TLSA records. Operations needing them must migrate to managed DNS or self-host.
The fifth problem is automation and observability. Registrar-bundled DNS typically offers a web dashboard for manual record management. Changes get made by clicking through the dashboard, with no version control, no review workflow, no rollback capability beyond memory of what the record value was previously. Managed DNS providers offer REST API and Terraform/DNSControl providers for infrastructure-as-code workflows where DNS gets version-controlled alongside other infrastructure, changes get reviewed through pull requests, rollback is simply reverting a commit. Query analytics surface zone usage patterns, latency distribution, resolver subnet distribution that informs capacity planning and identifies anomalies. The Stackit DNS October 2025 documentation and DNScale 2026 product guide both document infrastructure-as-code DNS as the operational pattern for mature operations.
What runs continuously across the anycast network.
DNSSEC per zone
Per-zone DNSSEC enable through dashboard or API. Managed key lifecycle: ZSK 30-day rotation, KSK annual with DS coordination. Algorithms 8 (RSASHA256) and 13 (ECDSAP256SHA256) supported.
Modern record types
Full support for A, AAAA, CNAME, MX, TXT, SRV, CAA, HTTPS, SVCB, TLSA, NAPTR, PTR (for delegated reverse zones). RFC 9460 HTTPS/SVCB supported since deployment in 2024.
DDoS mitigation
Built into anycast layer: amplification absorbed across distributed edge, reflection traffic dropped at edge, volumetric attacks distributed rather than concentrated. Premium tier adds dedicated scrubbing capacity.
Query analytics
Real-time per-zone analytics covering query volume, response latency distribution per edge, resolver subnet distribution, query type breakdown. 90-day retention standard, 365-day Premium.
REST API and Terraform
Native Terraform provider for full DNS-as-code workflows. REST API with OpenAPI spec. DNSControl provider supported. Per-user API tokens with RBAC scoping and optional IP allowlist.
Data residency options
Per-zone configuration: EU-only (zone data and anycast edge restricted to EU jurisdictions for GDPR posture) or global (replication to all anycast edge for performance). Configurable per zone, not just per subscription.
SLA with service credits
99.99% standard SLA measured by external monitoring nodes. Service credit policy: 99.0-99.99% triggers 10% credit, 95-99% triggers 25%, below 95% triggers 50%. Credits apply to following month.
Operational profiles where managed DNS pays for itself.
Operations with global users
Operations serving users across multiple continents where unicast DNS latency adds 200-400ms to every page load. Anycast resolution within 30-80ms globally meaningful for user-perceived performance.
BSI TR-03108 compliance
German federal email security standard requiring DNSSEC for compliance. Many registrar-bundled DNS does not support DNSSEC; this subscription provides DNSSEC as standard per-zone capability.
Operations needing GDPR data residency
EU-only data residency option restricts zone data and anycast edge to EU jurisdictions. Matches operations needing zone data (including TXT records with operational metadata) within GDPR jurisdiction.
Operations deploying DANE
DANE requires TLSA records signed under DNSSEC. Many registrar DNS does not support either; this subscription provides both as standard. Pairs with TLS Certificate Setup engagement.
Operations with mature DevOps
Operations managing infrastructure as code through Terraform or DNSControl. The native Terraform provider lets DNS join the rest of the version-controlled infrastructure rather than living in a dashboard.
Operations under DDoS targeting
Operations with attack history or vertical-specific DDoS risk (gaming, crypto, controversial content). Anycast DDoS absorption protects DNS availability when registrar-bundled DNS would collapse.
Frequently asked.
What does DNS Hosting Managed deliver?
Monthly subscription operating authoritative DNS hosting for your zones on global anycast network. Up to 25 zones hosted on anycast nameservers with edge presence in EU, North America, Asia-Pacific, and South America. DNSSEC available per zone with DS record coordination at registry. Full record type support (A, AAAA, CNAME, MX, TXT, SRV, CAA, HTTPS, SVCB, TLSA, NAPTR, PTR for delegated reverse zones). 99.99% SLA on resolution availability with service credit policy documented. DDoS mitigation. Query analytics per zone. REST API and Terraform provider. EU-only data residency option or global anycast. EUR 59 per month covering up to 25 zones and 5 million queries per zone per month.
Why use managed DNS rather than registrar-bundled or self-hosted?
Three operational differences. Anycast vs unicast distribution: registrar-bundled DNS typically runs unicast from one or two locations; anycast distributes the same IP across multiple geographic edge nodes for typical resolution within 30-80ms globally. SLA and DDoS mitigation: registrar-bundled DNS rarely offers contractual uptime guarantees beyond marketing language; managed DNS publishes 99.99% or 100% SLAs with service credit policies and bakes DDoS mitigation into anycast infrastructure. DNSSEC and modern record types: many registrar-bundled DNS plans do not support DNSSEC; most do not support modern record types like HTTPS/SVCB (RFC 9460) or TLSA for DANE.
What is the SLA and service credit policy?
99.99% monthly SLA measured as authoritative response availability across the anycast network. External monitoring nodes distributed globally query each customer zone every 60 seconds. Service credit policy: 99.0-99.99% availability triggers 10% monthly credit; 95.0-99.0% triggers 25% credit; below 95.0% triggers 50% credit. Service credits apply to the following month subscription. Operations needing stronger SLA (100%) can opt into Premium tier (EUR 119/month) which includes secondary DNS hosting on a separate provider as automatic failover.
How does DNSSEC work on this service?
DNSSEC available per zone with managed key lifecycle. Customer enables DNSSEC for a specific zone through the dashboard or API; service generates ZSK and KSK; zone data signed; DS record prepared for publication at parent registry. Customer publishes DS at registry. Key rotation handled automatically: ZSK rotates every 30 days, KSK rotates annually with DS record update coordinated with customer. Algorithm options: RSASHA256 (algorithm 8, broad compatibility), ECDSAP256SHA256 (algorithm 13, smaller signatures, recommended for new zones).
What is the difference between EU-only and global residency?
EU-only data residency restricts both zone data storage and anycast edge presence to EU jurisdictions. Trade-off: users outside EU experience longer resolution latency (typically 100-200ms additional for North America, 200-400ms for Asia-Pacific). Global residency allows zone data replication to global anycast nodes for low-latency resolution worldwide. The choice is configurable per zone, not just per subscription, so operations can mix EU-only zones (internal services, GDPR-scoped infrastructure) with global zones (public marketing properties, content distribution).
How do query analytics work?
Real-time analytics covering four dimensions: query volume per zone over time (queries-per-second graphs, daily/weekly/monthly summaries); response latency distribution per edge node (p50, p95, p99 latency by geographic region); resolver subnet distribution (which recursive resolvers query your zones, geographic breakdown); query type breakdown (A vs AAAA vs MX vs TXT vs CAA etc). Analytics retained 90 days hot tier (Standard), 365 days Premium tier. Operations needing longer retention can integrate with Log Retention Compliance subscription for WORM-tier 12-month retention.
What about Terraform and infrastructure-as-code?
Native Terraform provider for full DNS-as-code workflows. Supports zone creation and deletion, record management (all record types), DNSSEC enable/disable per zone, residency option per zone, access control configuration. The DNSControl tool from Stack Exchange also supported through custom provider. REST API documented with full OpenAPI spec for any operations needing direct API integration. API authentication via per-user API tokens with RBAC scoping (read-only vs read-write vs admin) and IP allowlist optional.
How does this interact with the Hosting + Domains Bundle?
The bundle includes DNS hosting on ASH-managed authoritative nameservers as part of the setup. For bundle customers, this subscription is not separately needed; DNS hosting is bundled. This subscription exists for operations that have domain registration elsewhere but want managed DNS hosting on ASH infrastructure. The patterns are mutually exclusive on a per-zone basis; a zone is either in the bundle (which includes DNS hosting) or in this subscription (DNS hosting only).
Related services.
DNS infrastructure architecture for production sending operations
Production sending operations have DNS requirements that generic DNS hosting does not address well. The specific patterns that matter: authoritative DNS with very high availability (DNS failures produce immediate delivery problems), DNSSEC signing for senders whose audiences include receivers that validate DNSSEC, geographic distribution of nameservers to minimize lookup latency for receivers worldwide, programmatic DNS management through APIs that integrate with operational automation.
Our DNS hosting runs across geographically distributed authoritative nameservers (12 anycast locations across 7 jurisdictions as of 2026). The anycast configuration produces sub-50ms DNS resolution from major receiver geographies, which matters because DNS lookup latency contributes to overall delivery time for transactional senders where every millisecond matters.
The infrastructure handles DNSSEC signing for senders requiring it (an increasing fraction as receivers add DNSSEC validation to their authentication evaluation). The signing operates through the standard NSEC3 implementation with key rotation on a 90-day cadence; the rotation discipline matters because expired DNSSEC keys break DNS resolution at validating resolvers entirely rather than producing soft failures.
API access for programmatic DNS management is part of the standard tier rather than a premium add-on. The API supports the operations production sending operations need: SPF record management with automatic include consolidation, DKIM record management with rotation integration, MTA-STS DNS record management with id-value synchronization, dynamic record updates for IP migrations or infrastructure changes.
SPF flattening and lookup limit management
The SPF specification limits authoritative DNS lookups to 10 per evaluation, which is the most common SPF problem operators encounter at scale. Each include statement, each lookup-producing mechanism, each redirect contributes to the lookup count. Production operations with multiple ESPs, multiple sending sources, and historical accumulated configurations frequently exceed the limit.
Our SPF flattening service automates the resolution: parsing the SPF record to identify all the IP ranges and authorized senders it references, flattening the include chain into direct ip4 and ip6 mechanisms, publishing the flattened record with periodic refresh to catch upstream changes. The pattern keeps the lookup count under the limit while preserving the operational meaning of the original SPF policy.
The flattening refresh runs daily by default; operators can configure shorter or longer cycles based on how dynamic their upstream sender configurations are. ESP operations that frequently change their authorized IP ranges benefit from shorter refresh; operations with stable sender lists can use longer refresh to reduce DNS update volume.
For operators uncertain whether SPF flattening is appropriate for their configuration, the diagnostic check is running the validator on this site against the current SPF record. Configurations near the 10-lookup limit benefit from flattening preemptively before reaching the limit; configurations well below the limit do not need flattening as long as they are not actively expanding.
DNS for multi-jurisdictional sending operations
Operators running sending infrastructure across multiple jurisdictions benefit from DNS infrastructure that supports the multi-jurisdictional model rather than requiring all DNS to operate from a single location. Our DNS infrastructure runs across the same seven jurisdictions as our hosting (Bulgaria, Romania, Moldova, Ukraine, Panama, Hong Kong, Singapore) with per-jurisdiction authoritative service.
The structural benefit of per-jurisdiction DNS is that legal-process exposure for DNS data tracks the geographic distribution of DNS service rather than concentrating in a single jurisdiction. Court orders affecting DNS in one jurisdiction do not automatically affect DNS service in other jurisdictions; the operational continuity matters for sending operations that depend on DNS availability.
Customer-side configuration for multi-jurisdictional DNS follows standard DNS patterns: NS records list all the authoritative nameservers, receivers resolve through whichever nameserver responds fastest, DNS data is consistent across all nameservers through the same authoritative source. The configuration is transparent to receivers; they see standard DNS resolution behavior with no indication of the multi-jurisdictional underlying infrastructure.
For operators with specific data residency requirements affecting DNS (some compliance frameworks require DNS data residency to match application data residency), our infrastructure supports jurisdiction-locked DNS hosting where the authoritative service operates only within specified jurisdictions. The configuration is operationally transparent to receivers but produces the data-residency properties that the compliance framework requires.
DNS hosting service tiers and migration patterns
DNS hosting service comes in three tiers reflecting the operational sophistication that different sender types need. The standard tier at EUR 29 monthly covers single-domain operations with standard authoritative DNS, API access, and basic monitoring. Suitable for most operations with stable DNS configurations.
Professional tier at EUR 99 monthly adds DNSSEC signing, SPF flattening, MTA-STS DNS coordination, multi-domain management with cross-domain reference tracking. Suitable for operations with active DNS management requirements or multi-domain infrastructure.
Enterprise tier at EUR 299 monthly adds multi-jurisdictional DNS coordination, custom integration with operator infrastructure, dedicated DNS performance monitoring, audit-grade documentation of DNS changes. Suitable for ESP operations or organizations with compliance requirements affecting DNS infrastructure.
Migration to our DNS hosting typically completes in 1-2 weeks. The phases: zone analysis and validation, parallel deployment with existing DNS provider, DNS query traffic shifting through TTL coordination, decommissioning of legacy DNS infrastructure once traffic shift completes.
DNS hosting compliance and audit considerations
For organizations with compliance frameworks that include DNS infrastructure requirements, our DNS hosting produces audit evidence that supports common framework requirements. The evidence covers DNS data integrity (cryptographic hashes of zone data with chain of custody), DNS change history (timestamps and operator attribution for every DNS change), DNSSEC signing evidence (key generation, rotation, and destruction events), DNS availability metrics (uptime statistics and performance data).
Common compliance framework mappings: SOC 2 CC7.3 (system monitoring) covers DNS availability and performance evidence; ISO 27001 A.8.20 (network controls) covers DNS infrastructure documentation; HIPAA Security Rule 164.312 (technical safeguards) covers DNS data integrity and access control evidence. Our standard evidence package addresses these mappings without requiring auditor-side translation work.
For organizations under GDPR Article 30 documentation requirements, the DNS hosting service maintains records of processing activities sufficient to demonstrate compliance. The records cover what DNS data is processed, how it is stored, what retention applies, who has access, and how access is logged. The documentation is structured to support GDPR supervisory authority inquiries with minimal additional preparation.
Subscribe to DNS Hosting Managed.
Subscription starts the first business day of the month after confirmation. Zone setup and customer configuration completes in 1-3 business days depending on zone count and migration scope. EUR 59 per month Standard tier covering up to 25 zones and 5 million queries per zone per month. Monthly billing with no minimum commitment; annual billing offers 10% discount.
# Median Telegram response: 12 minutes during operating hours