One.com operates a large DNS setup that handles thousands of queries per second, larger than what some TLD operators run. We follow technical best practices and take pride in delivering a state-of-the-art service.
Security and Stability
The DNS platform is classified as critical infrastructure, and is therefore subject to the EU Network Information Security (NIS) directive. We take this responsibility very seriously and have a dedicated security team that ensures we have the best possible security at one.com.
Advanced DNS control panel
We offer an advanced but easy to use DNS administration panel. You can find it in the one.com control panel under "DNS Settings" on the "Advanced settings" tile. Check our guide for an overview of available DNS records.
24/7 operations and specialist teams
Keeping services available is at the core of one.com. Without online services, there is no one.com. That's why we always have people at work every day, all year round - both in support and operations. Behind our DNS infrastructure is a strong team of experts from across group.one brands.
Anycast DNS servers
At one.com, we operate our own network allowing us to be very flexible when it comes to traffic engineering, enabling us to run a stable DNS service.
Servers are distributed in eight different data centers across seven different countries in Northern and Central Europe. We use Border Gateway Protocol (BGP) anycast technology to distribute the traffic to the servers. This way, most users connect to the server that is closest (network-wise) to where they connect to the Internet.
We currently host over 1 million domains that are DNSSEC signed, enhancing security for DNS users. Our goal is to support the latest DNSSEC technology whenever technically possible. Currently, we use algorithm 13 (ECDSA Curve P-256 with SHA-256). We have previously performed a secure key rollover using double signing from older DNSSEC algorithms for a huge number of domains.
Tip: Check this article if you want to learn more about what DNSSEC is and why it's important.
DANE for email servers
As of February 2022, one.com is the world's largest email hosting provider to provide DANE (DNS-based Authentication of Named Entities) authenticated email delivery. All hosted DNSSEC-signed domains using one.com mail services automatically get TSLA records on MX servers.
A strong team of DNS experts
We have a strong team of DNS experts that was recently joined by Peter Larsen - the founder of GratisDNS - as well as experts from our other brands: Syse, Digital Garden, Hostnet, Antagonist and Zoner. It's hard to imagine a better team than this!
Our DNS service supports secondary DNS, often used for a hidden primary. You must allow AXFR requests from axfr.one.com (22.214.171.124), which is also the server you should NOTIFY when you update your zones.
An example: group.one
We are so confident about our hosting platform that we host our group.one domain. Please take a look at https://group.one, and make sure to check out the state of DNSSEC on it, too.
At the beginning of 2022, we will start migrating GratisDNS customers to the one.com DNS platform. You can read more about it in our migration FAQ.
Additionally, here is detailed information about more advanced scenarios related to the migration.
We will migrate existing DNSSEC keys to the one.com DNS platform but won't automatically enable DNSSEC for other domains.
In the future, customers can enable DNSSEC in the one.com control panel. Additionally, for domains where one.com runs primary DNS and can upload updated DS records, we plan to gradually update DNSSEC keys to algorithm 13.
Enabling secondary DNS
We will import the zones from GratisDNS, but customers must update their config too.
During the transition period, we suggest that customers allow AXFR from both axfr.gratisdns.dk (126.96.36.199) and axfr.one.com (188.8.131.52), and notify both servers. The ability to change the IP of the primary server will be added to the one.com control panel as soon as possible.