DNScale Infrastructure and EU Operations

This page is the operational reference for DNScale's infrastructure and EU operating model — the auditable facts behind what we sell. It exists for two audiences: customers doing supply-chain due diligence under NIS2 Article 21(2)(d) or equivalent regulations, and engineers evaluating whether DNScale's network meets their latency, resilience, and compliance requirements.

We update this page as the network changes — new PoPs, new peers, new certifications. The most current state is always here; the DNScale status page and post-incident blog cover live operational state.

Two Anycast Networks — EU and Global

DNScale operates two distinct anycast networks, each with its own Autonomous System (AS) number:

EU Network

The EU network announces nameserver IP space only from PoPs located in the European Union and EEA, and only to peers that route the announcements within those jurisdictions. The result: a query from a European recursive resolver lands on a European DNScale PoP and the answer is computed at a European-jurisdictional server. No transit through non-EU networks under normal conditions.

The EU network is the right choice when:

• Your sector requires single-jurisdiction DNS service (financial, public administration, energy, healthcare under NIS2)
• Your DPA requires data residency for query traffic
• You operate under EU competition or sovereignty mandates

For the operational details — nameserver hostnames, routing policy, regional behaviour — see DNS Delegation for DNScale Regions.

Global Network

The Global network announces a separate set of nameserver IP space from PoPs distributed across multiple continents. It serves queries with the lowest latency available worldwide — North America, South America, Europe, the Middle East, Africa, Asia, and Oceania presence as the network expands.

Customers that aren't subject to EU-jurisdictional constraints — or that have customers worldwide — typically use the Global network or the combined EU_GLOBAL nameserver set, which prefers EU PoPs for European resolvers and falls back to global PoPs everywhere else.

How a query flows

A typical query path on the EU network:

1. Resolver sends UDP/53 query to one of DNScale's EU nameserver IPs (e.g., ns1.dnscale.eu).
2. BGP, advertised from every EU PoP under DNScale's EU AS, routes the query to the topologically closest PoP — typically a sub-10ms hop from major European metros.
3. The PoP's authoritative server responds with the cached, signed answer.
4. RTT for cached answers is dominated by network RTT, typically 5–25ms within Europe.

For the architecture in detail, see Global DNS Resolution Balancing and What is an Anycast DNS Network?.

Network Footprint

DNScale's PoPs are located in metros chosen for IXP density, eyeball-network proximity, and regulatory clarity. The current set spans:

• European metros: Frankfurt, Amsterdam, London, Paris, Madrid, Milan, Stockholm, Warsaw (and continuing expansion)
• Global metros: New York, Ashburn, San Francisco, São Paulo, Singapore, Tokyo, Sydney (Global network)

Live status, including any PoP under maintenance or in planned expansion, is on the DNScale Network page.

Peering

DNScale peers directly at the major European IXPs:

• DE-CIX Frankfurt — Europe's largest IXP, anchor for our German and broader continental presence
• AMS-IX Amsterdam — primary Dutch and northwestern European exchange
• LINX London — UK and northwestern European reach
• Additional regional IXPs as PoP expansion warrants

Direct peering with major European ISPs and content networks shortens the query path for residential and enterprise eyeball traffic, removes dependency on transit for the hot path, and provides BGP signal we control directly during incident response.

The Global network peers at strategic IXPs in each continent — Equinix metro IXPs in North America, the LACNIC-region exchanges in South America, Asian and Oceanian exchanges as the global footprint grows.

AS Numbers and Public Verification

DNScale operates under its own AS numbers — one for the EU network and one for the Global network. AS-level operation (rather than running as a tenant inside a larger provider's AS) gives us:

• Direct BGP control for our anycast announcements
• Independent auditability through RIPE NCC, public looking glasses, and route registries
• Withdrawal-based incident response — we can withdraw an unhealthy PoP from BGP within seconds without coordinating through an upstream

The AS numbers are published on our Network page and verifiable via standard tools (whois -h whois.ripe.net AS{N}, bgp.tools, RIPE Stat). Inbound traffic patterns and announced prefixes are public information by design — that's how the routing system works.

Compliance and Certifications

DNScale's compliance posture is built around three anchors:

GDPR

DNScale processes DNS query metadata as a data processor for customers; the legal frameworks, DPA terms, and processing-purpose disclosures are on the Privacy Policy. Notable choices:

• DNS query traffic on the EU network does not transit to non-EU PoPs in normal operation
• Subprocessor list is published and updated; customers are notified before changes
• Data subject access requests are supported through the standard contact channel
• Tax and billing data flow through Stripe, an EU-active payment processor

NIS2

NIS2 names DNS providers explicitly in Annex I as essential entities. DNScale operates under the relevant national supervisory regime for its EU domicile. The NIS2 and DNS guide covers the obligations in detail; our specific posture:

• Documented Article 21 risk-management measures (incident handling, cryptography, supply-chain controls)
• Incident-reporting workflow aligned to the 24h / 72h / 1-month timelines
• DNSSEC support with modern algorithms and HSM-backed key storage
• MFA on operator and customer interfaces, scoped API keys, full audit logs
• Multi-region anycast for resilience; multi-provider readiness via Terraform / DNSControl

ISO 27001

ISO 27001 (Information Security Management Systems) is DNScale's foundational security certification. Scope, status, and certificate availability are published on the website. ISO 27001 controls map cleanly to NIS2 Article 21, simplifying compliance for customers that need both.

Other certifications

Additional industry certifications (PCI DSS, HIPAA, SOC 2 Type II) are pursued in line with customer demand. Current status is published on the website and updated as audits complete. If a specific certification is a contractual requirement for your sector, contact us to discuss timing.

Security Posture and Public Artefacts

DNScale publishes the conventional public security artefacts:

• security.txt at /.well-known/security.txt — vulnerability disclosure email and disclosure policy
• Security contact page at /security — PGP publication status and reporting instructions
• Vulnerability disclosure policy documenting scope, expected response times, and safe-harbour provisions for good-faith research
• Post-incident reports published on the blog when significant incidents occur (real, technical, accountable)

We treat public post-incident transparency as load-bearing for trust. When we mess up, we say what happened, why, what we changed, and what customers should do. That accountability is in lieu of named-engineer bylines on technical content — see the EEAT discussion below.

Operational transparency over personal bylines

DNScale does not publish individual author or reviewer bylines on its Learning and blog content. Authority and trust at DNScale are built at the organisational level — through:

• The public network footprint that anyone can verify via BGP
• Public certifications and audit reports
• Detailed, technical post-incident reports
• Specific, accountable status communication
• This page — operational facts, not marketing claims

We think this is a better trust signal for an infrastructure provider than personal bios would be. The work speaks for itself; the operations are auditable; the incidents are publicly handled.

EU Operating Model

DNScale's EU operating model is built around three principles:

1. EU domicile and EU governing law

DNScale operates as an EU-domiciled entity. Customer contracts use EU governing law and EU dispute resolution. This makes due diligence simpler for in-scope customers: a single jurisdiction, a single supervisory authority, GDPR-aligned default.

2. EU jurisdictional isolation as a deliberate option

The EU anycast network exists so customers can confine DNS query traffic to European jurisdictional space when they need to. Many DNS providers offer "EU presence"; few offer "EU only." DNScale gives you both — choose the EU network if you need isolation, the Global network if you need worldwide low latency, the combined EU_GLOBAL set if you need both with EU-preferred routing.

3. Engineering operations independent of any larger group

DNScale is an independent provider — not part of a larger telecom, hyperscaler, or holding group. Engineering, on-call, and incident response are run by the DNScale team. This means our incentives and our customers' incentives align directly: when DNS is broken, the same people who built the system are the ones answering the page.

Where to Look Next

• DNScale Network page — live PoP status, BGP announcements, capacity claims
• DNScale Status page — real-time operational status
• Privacy Policy — full GDPR disclosure
• Terms of Service — contract framework
• Pricing — plans, PAYG, and what's included
• Blog — release notes, post-incident reports, technical writing
• security.txt — vulnerability disclosure

Related Reading

• NIS2 and DNS Compliance — regulatory mapping for in-scope entities
• Best EU DNS Providers — evaluation framework
• GDPR-Compliant DNS Providers — adjacent regulatory framing
• DNScale vs Cloudflare — EU jurisdiction comparison
• Anycast DNS Network — how the underlying network works
• Global DNS Resolution Balancing — how queries are steered to the closest PoP