deSEC

What Is deSEC?

You probably think you need to pay for reliable DNS hosting. After all, DNS is the foundation of every internet service, and surely something that critical deserves enterprise-grade infrastructure with premium support and a monthly invoice. Cloudflare, AWS Route 53, and dozens of other providers are happy to reinforce that assumption — and sell you a bundle of services alongside it.

deSEC challenges that logic entirely. Run by deSEC e.V., a registered German nonprofit, this service provides authoritative DNS hosting that is completely free, permanently free, and has no premium tier waiting to capture your wallet. Every domain gets DNSSEC enabled by default — automatic key generation, signing, and rotation with zero configuration. The project is funded by donations and a grant from the German Federal Ministry of Education and Research (BMBF). There are no ads, no tracking, no data monetisation, and no commercial incentives whatsoever.

That sounds too good to be true, and in some ways it is — deSEC intentionally does less than commercial DNS providers. There is no GeoDNS, no traffic steering, no built-in CDN, no load balancing. The web interface is minimal. Record management is primarily done through a RESTful API. But what deSEC does do, it does exceptionally well: it resolves your DNS queries quickly, signs them cryptographically via DNSSEC, and does so from infrastructure that answers to EU law, not corporate quarterly earnings.

For developers, small businesses, and privacy-conscious organisations that want DNS done right without the overhead of a commercial relationship, deSEC represents something genuinely rare: infrastructure built as a public good.

Key Features

Automatic DNSSEC

DNSSEC is the headline feature, and deSEC's implementation is the best in class for ease of use. When you add a domain, DNSSEC is enabled immediately. Keys are generated automatically, records are signed automatically, and key rotation happens automatically. You do not need to understand DNSSEC internals, configure key algorithms, or manage DS records beyond the initial setup with your registrar.

This matters because DNSSEC adoption remains surprisingly low despite being a critical security measure. DNS spoofing and cache poisoning attacks are real threats, and DNSSEC is the solution — but most providers either do not support it, charge extra for it, or make configuration so complex that users give up. deSEC removes every barrier.

RESTful API

deSEC provides a clean, well-documented REST API for all DNS management operations. You can create and delete domains, manage individual record sets, and perform bulk updates programmatically. The API uses token-based authentication and returns clean JSON responses.

This API-first approach is both a strength and a limitation. It makes automation straightforward — infrastructure-as-code pipelines, CI/CD DNS updates, and Let's Encrypt DNS-01 challenges all work cleanly. But users who expect a point-and-click web interface for managing DNS records will find the experience sparse.

Dynamic DNS

deSEC supports dynamic DNS (dynDNS) for domains that need to point at changing IP addresses — home servers, IoT devices, development environments behind residential connections. You get a dedicated update endpoint that works with standard dynamic DNS clients, including those built into routers and NAS devices.

Let's Encrypt Integration

The API supports ACME DNS-01 challenges, making it straightforward to obtain wildcard SSL certificates from Let's Encrypt. Tools like acme.sh and certbot can interact with the deSEC API directly, automating certificate issuance and renewal for domains hosted on the service.

Unlimited Domains and Records

There are no artificial limits on the number of domains you can host or the number of records per domain. The only rate limiting is on API calls to prevent abuse — normal usage patterns are well within the limits.

Pricing

deSEC has one pricing tier: free. There is no premium plan, no enterprise tier, no "contact us for pricing" page. Every feature the service offers is available to every user at no cost.

The service is funded through donations (which the nonprofit actively encourages) and a grant from the BMBF, the German federal ministry responsible for research funding. This funding model means deSEC has no commercial pressure to upsell features, monetise user data, or bundle DNS with other paid services.

This is both the service's greatest strength and its most significant risk factor. Donation-funded infrastructure depends on the continued generosity of its community and the ongoing support of institutional funders. deSEC is transparent about this: the nonprofit publishes information about its funding and encourages financial contributions from users who rely on the service.

For organisations that need contractual SLAs and guaranteed support response times, the free model may not provide sufficient assurance. But for the vast majority of DNS use cases — personal projects, small businesses, open-source projects, development domains — the price-to-value ratio is literally infinite.

EU Compliance & Data Privacy

deSEC's compliance story is exceptionally clean. deSEC e.V. is a registered German nonprofit based in Berlin. All account data is processed under German law, which provides some of the strongest data protection in the EU.

The service collects minimal data — only what is technically necessary for DNS operation. There is no tracking, no analytics, no advertising, and no data sharing with third parties. The entire codebase is open-source, meaning anyone can audit exactly what the software does with user data.

For GDPR compliance, deSEC is as straightforward as it gets: a German entity, minimal data collection, no commercial data processing, full transparency through open source. There are no data transfers to non-EU jurisdictions for account management.

Who It's Best For

Privacy-conscious developers and sysadmins who want DNS hosting from a nonprofit with no commercial data incentives. If you care about who operates your DNS infrastructure and why, deSEC's nonprofit model is uniquely transparent.

Open-source projects that need reliable DNS hosting without budget allocation. Unlimited domains and records at no cost removes DNS from the expense column entirely.

Home server and IoT operators who need dynamic DNS with DNSSEC — a combination that most providers do not offer at any price, let alone free.

Security-focused organisations that want DNSSEC on all domains without the configuration complexity. If you have been meaning to enable DNSSEC but never got around to it, deSEC removes every excuse.

The Verdict

deSEC will not replace Cloudflare for organisations that need a CDN, WAF, and traffic management alongside DNS. It will not satisfy enterprise procurement teams that require contractual SLAs and 24/7 phone support. What it will do is provide rock-solid DNS hosting with the best automatic DNSSEC implementation available, from a nonprofit that exists to make the internet more secure rather than to extract revenue. In an infrastructure landscape dominated by commercial incentives, that is genuinely refreshing — and for many use cases, it is exactly enough.

Frequently Asked Questions

Is deSEC reliable enough for production domains?

deSEC uses an anycast DNS network and is used by thousands of production domains. However, it does not offer commercial SLAs. For mission-critical domains, consider using deSEC as your primary provider alongside a secondary DNS service for redundancy.

How do I manage DNS records without a web interface?

deSEC provides a RESTful API with comprehensive documentation. You can use curl, httpie, or any HTTP client to manage records. Third-party tools and scripts that integrate with the deSEC API are also available. A basic web interface exists for account management and domain overview.

Can I transfer my domains to deSEC from Cloudflare or Route 53?

You do not transfer domain registration to deSEC — it is a DNS hosting service, not a registrar. You update your domain's nameservers at your registrar to point to deSEC's nameservers, then manage DNS records through the deSEC API.

Is deSEC suitable for large-scale deployments?

deSEC can host unlimited domains and records, but the service is designed for general-purpose DNS hosting. Organisations with complex requirements like GeoDNS, weighted routing, or health-check-based failover will need a commercial provider.

How is deSEC funded if it is free?

deSEC e.V. is funded by individual and organisational donations and a research grant from the German Federal Ministry of Education and Research (BMBF). The nonprofit is transparent about its funding model and actively encourages contributions from users who depend on the service.