A while ago, after stopping to run my own DNS servers, I took the decision to move my DNS management to Bunny. I already used Bunny as a CDN platform, which is used on this blog to serve media, for instance, and it did a good job so far.
To simplify, as Bunny is using that currency despite being European, $ refers to USD, or United States Dollar.
Their pricing in the matter is 20 million requests free, then $0.1 per additional million queries. My domains are busy, but not that busy, so fair enough of a price.
However, when I logged in to check on some configs one day, I discovered this:
The $0.06 in CDN is normal, given my sites are fairly low traffic, there is not much content to be served. The issue is on the “DNS” line, with $0.84 consumed.
Looking into the detail, those $0.84 seems to be solely about 2.8 million “smart queries” consumed. Smart queries are billed differently, with the first million being free, then $0.3 per additional million. Smart queries are advertised as a way for users to hit the closest server on record depending on where they are.
One small issue: I do not use smart queries, yet I am being billed for those for no reason.
Raising the issue with their support yielded no results so far, so I decided to move away from Bunny for my DNS hosting. While the service was still pretty nice, I don’t want to risk being billed for stuff I do not use at all, even if the price seems low for now.
In the end, I chose deSEC as my DNS provider, a non-profit registered in Berlin providing free DNS services. As a bonus, they use fully open-source software, have Anycast, an API, Let’s Encrypt integration, and I’m still skipping over a lot of stuff.
While new accounts are limited to a single domain, their support was quick to bump the number higher for me. What also struck me in their interface is how easy setting up DNSSEC is made, just copy the two DS and DNSKEY records, paste into INWX, and done. No dance needed like on Bunny.
In any case, deSEC has been a good experience so far, and in bonus, it pushed me to enable DNSSEC on all my domains.
j@oberon ~ drill -D AAAA b.j4.lc
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20815
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; b.j4.lc. IN AAAA
;; ANSWER SECTION:
b.j4.lc. 3595 IN CNAME blog.de.tech.j4.lc.
blog.de.tech.j4.lc. 3595 IN AAAA 2a14:7c0:7000:100:0:ffff:2d54:c509
b.j4.lc. 3595 IN RRSIG CNAME 13 3 3600 20260326000000 20260305000000 24643 j4.lc. WtKpn/tPjxK0mVrKZZUBviLPQnntKxyreWdEjQ52Nh19fUVtQ7v0IxKP78MI2QMg/fHaZv81ShhuOpr7p16BMA==
blog.de.tech.j4.lc. 3595 IN RRSIG AAAA 13 5 3600 20260326000000 20260305000000 24643 j4.lc. iNHVJSUCNlSC8QhFsdnmzbKuOGtWRWU7uDkmlnhcEatZDdi2Tfa64ZE/u4A/I5YvVKbQiKBsoNBVtQqs6Ahn1A==
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 42 msec
;; EDNS: version 0; flags: do ; udp: 512
;; SERVER: 127.0.0.1
;; WHEN: Mon Mar 16 04:46:01 2026
;; MSG SIZE rcvd: 293I can recommend donating to them since it’s a great service that remains free. Apparently, they even have some dynamic DNS that I need to look into. Maybe time to replace the good old dynv6?
Leave a Reply