DNScale Infrastructure and EU Operations

This page is the operational reference for DNScale's infrastructure and EU operating model — the auditable facts behind what we sell. It exists for two audiences: customers doing supply-chain due diligence under NIS2 Article 21(2)(d) or equivalent regulations, and engineers evaluating whether DNScale's network meets their latency, resilience, and compliance requirements.

We update this page as the network changes — new PoPs, new peers, and certification status changes. It is intended to be the public operational reference; the DNScale status page and post-incident blog cover live operational state.

Two Anycast Networks — EU and Global

DNScale operates two distinct anycast networks, each with its own Autonomous System (AS) number:

EU Network

The EU network originates nameserver IP space only from PoPs located in the European Union and EEA. DNScale uses EU/EEA PoP placement, direct European peering, transit selection, and BGP policy to keep European recursive resolvers on European DNScale PoPs where practical. When that routing outcome occurs, the authoritative DNS answer is computed by a European DNScale server.

BGP does not provide an end-to-end jurisdiction guarantee. Third-party networks choose their own best paths, packet paths can be asymmetric, and internet routing can change during congestion, maintenance, or incidents. The EU network is therefore best understood as EU/EEA-only authoritative serving and EU-based operational governance, not a promise that every packet path between a resolver and DNScale stays inside the EU/EEA.

The EU network is the right choice when:

• Your sector requires EU/EEA authoritative DNS serving and European operational governance (financial, public administration, energy, healthcare under NIS2)
• Your DPA requires European processing of authoritative DNS query handling
• You operate under EU competition or sovereignty mandates

For the operational details — nameserver hostnames, routing policy, regional behaviour — see DNS Delegation for DNScale Regions.

Global Network

The Global network announces a separate set of nameserver IP space from PoPs distributed across multiple continents. It is designed for low-latency worldwide resolution — North America, South America, Europe, the Middle East, Africa, Asia, and Oceania presence as the network expands.

Customers that aren't subject to EU-jurisdictional constraints — or that have customers worldwide — typically use the Global network or the combined EU_GLOBAL nameserver set, which prefers EU PoPs for European resolvers and falls back to global PoPs everywhere else.

How a query flows

A typical query path on the EU network:

1. Resolver sends UDP/53 query to one of DNScale's EU nameserver IPs (e.g., ns1.dnscale.eu).
2. BGP, advertised from participating EU PoPs under DNScale's EU AS, routes the query to a European PoP based on the resolver network's routing policy and topology.
3. The PoP's authoritative server responds with the cached, signed answer.
4. RTT for cached answers is dominated by network RTT and is typically low within Europe when the resolver reaches a well-peered European PoP.

For the architecture in detail, see Global DNS Resolution Balancing and What is an Anycast DNS Network?.

Network Footprint

DNScale's PoPs are located in metros chosen for IXP density, eyeball-network proximity, and regulatory clarity. The current set spans:

• European metros: Frankfurt, Amsterdam, London, Paris, Madrid, Milan, Stockholm, Warsaw (and continuing expansion)
• Global metros: New York, Ashburn, San Francisco, São Paulo, Singapore, Tokyo, Sydney (Global network)

Live status, including any PoP under maintenance or in planned expansion, is on the DNScale Network page.

Peering

DNScale peers directly at the major European IXPs:

• DE-CIX Frankfurt — Europe's largest IXP, anchor for our German and broader continental presence
• AMS-IX Amsterdam — primary Dutch and northwestern European exchange
• LINX London — UK and northwestern European reach
• Additional regional IXPs as PoP expansion warrants

Direct peering with major European ISPs and content networks shortens the query path for residential and enterprise eyeball traffic, reduces dependency on transit for directly peered paths, and provides BGP signal we control directly during incident response.

The Global network peers at strategic IXPs in each continent — Equinix metro IXPs in North America, the LACNIC-region exchanges in South America, Asian and Oceanian exchanges as the global footprint grows.

AS Numbers and Public Verification

DNScale operates under its own AS numbers — one for the EU network and one for the Global network. AS-level operation (rather than running as a tenant inside a larger provider's AS) gives us:

• Direct BGP control for our anycast announcements
• Independent auditability through RIPE NCC, public looking glasses, and route registries
• Withdrawal-based incident response — we can withdraw an unhealthy PoP from BGP within seconds without coordinating through an upstream

The AS numbers are published on our Network page and verifiable via standard tools (whois -h whois.ripe.net AS{N}, bgp.tools, RIPE Stat). Announced prefixes and AS-level reachability are public information by design — that's how the routing system works.

Compliance and Certifications

DNScale's compliance posture is built around current obligations and the certification roadmap:

GDPR

DNScale processes DNS query metadata as a data processor for customers; the legal frameworks, DPA terms, subprocessor register, and processing-purpose disclosures are published for procurement review. Notable choices:

• Authoritative DNS query handling on the EU network is served from EU/EEA PoPs in normal operation
• Subprocessor list is published and updated; customers are notified before changes
• Data subject access requests are supported through the standard contact channel
• Tax and billing data flow through Stripe, an EU-active payment processor

NIS2

NIS2 names DNS providers explicitly in Annex I as essential entities. DNScale tracks the relevant national supervisory regime for its Estonian EU domicile as member-state transposition and guidance evolve. The NIS2 and DNS guide covers the directive in detail; our specific posture:

• Documented Article 21 risk-management measures (incident handling, cryptography, supply-chain controls)
• Incident-response workflow designed to support applicable 24h / 72h / 1-month reporting timelines where legal thresholds are met
• DNSSEC support with modern algorithms and HSM-backed key storage
• MFA on operator and customer interfaces, scoped API keys, full audit logs, and identity-control patterns such as SSO in enterprise due diligence
• Multi-region anycast for resilience; multi-provider readiness via Terraform / DNSControl

ISO 27001

DNScale is pursuing ISO 27001 certification and uses ISO 27001 (Information Security Management Systems) as the reference framework for its information-security management system. DNScale is not ISO 27001 certified today. Until certification is complete, customers should treat ISO 27001 references as alignment and in-progress evidence, not a certificate-backed assurance. ISO 27001 controls can support NIS2 Article 21 evidence, but customer compliance depends on their own scope and legal assessment.

Other certifications

Additional industry certifications (PCI DSS, HIPAA, SOC 2 Type II) are pursued in line with customer demand. Current status is published on the website and updated as audits complete. If a specific certification is a contractual requirement for your sector, contact us to discuss timing.

Security Posture and Public Artefacts

DNScale publishes the conventional public security artefacts:

• security.txt at /.well-known/security.txt — vulnerability disclosure email and disclosure policy
• Security contact page at /security — PGP publication status and reporting instructions
• Vulnerability disclosure policy documenting scope, expected response times, and safe-harbour provisions for good-faith research
• Post-incident reports published on the blog when significant incidents occur (real, technical, accountable)

We treat public post-incident transparency as load-bearing for trust. When we mess up, we say what happened, why, what we changed, and what customers should do. That accountability is in lieu of named-engineer bylines on technical content — see the EEAT discussion below.

Operational transparency over personal bylines

DNScale does not publish individual author or reviewer bylines on its Learning and blog content. Authority and trust at DNScale are built at the organisational level — through:

• The public network footprint that anyone can verify via BGP
• Public security artefacts, audit-ready documentation, and certification status updates
• Detailed, technical post-incident reports
• Specific, accountable status communication
• This page — operational facts, not marketing claims

We think this is a better trust signal for an infrastructure provider than personal bios would be. The work speaks for itself; the operations are auditable; the incidents are publicly handled.

EU Operating Model

DNScale's EU operating model is built around three principles:

1. Estonian EU domicile and governing law

DNScale operates through DNScale OÜ, a company registered in Estonia. Customer contracts use Estonian governing law and dispute resolution as specified in the Terms of Service, with EU data-protection frameworks applying to relevant processing. This can make due diligence simpler for in-scope customers by giving them a clearer jurisdictional and GDPR-aligned operating model.

2. EU authoritative serving as a deliberate option

The EU anycast network exists so customers can keep authoritative DNS serving and operational governance in European jurisdictional space when they need to. Internet routing still depends on third-party networks, so this is an authoritative-serving and governance option rather than an end-to-end packet-path guarantee. Choose the EU network if you need European serving locations, the Global network if you need worldwide low latency, and the combined EU_GLOBAL set if you need both with EU-preferred routing.

3. Engineering operations independent of any larger group

DNScale is an independent provider — not part of a larger telecom, hyperscaler, or holding group. Engineering, on-call, and incident response are run by the DNScale team. This means our incentives and our customers' incentives align directly: when DNS is broken, the same people who built the system are the ones answering the page.

Where to Look Next

• DNScale Network page — live PoP status, BGP announcements, capacity claims
• DNScale Status page — real-time operational status
• Privacy Policy — full GDPR disclosure
• Data Processing Agreement — GDPR processor terms and signing request
• Subprocessors — public provider register
• Terms of Service — contract framework
• Pricing — plans, PAYG, and what's included
• Blog — release notes, post-incident reports, technical writing
• security.txt — vulnerability disclosure

Related Reading

• NIS2 and DNS Compliance — regulatory mapping for in-scope entities
• Best EU DNS Providers — evaluation framework
• GDPR-Compliant DNS Providers — adjacent regulatory framing
• DNScale vs Cloudflare — EU jurisdiction comparison
• Anycast DNS Network — how the underlying network works
• Global DNS Resolution Balancing — how queries are steered to the closest PoP