Skip to content
Published on

Domain & DNS Providers in 2026 — Cloudflare Registrar / Porkbun / Namecheap / Quad9 / NextDNS / dnscontrol Deep Dive

🇰🇷KO🇺🇸EN🇯🇵JA
Split View필사 모드
Authors

Prologue — "Why is buying one domain this complicated?"

Until the mid-2010s, domains were simple. Buy from GoDaddy or Namecheap, use the registrar's default DNS, done. Prices were similar everywhere, and add-on options were minimal.

The 2026 landscape looks completely different. Registration (who records ownership at ICANN/registry) and DNS hosting (who answers your A/AAAA/MX/TXT records) are clearly separated, with two more axes added: public resolvers (what your device queries) and DNS-as-Code (records in git, auto-deployed). Putting each of the four with a different company has become best practice.

Pricing has also changed. The at-cost registration model Cloudflare launched in 2018 (registry wholesale price plus only the ICANN fee) became the comparison benchmark, and legacy registrars who charge margins now have to justify why you should buy the same .com from them. At the same time, new gTLDs like .ai, .dev, .io have crossed $100/year at many registrars due to geopolitical issues and registry price hikes.

And M&A reshaped the landscape. Google Domains was sold to Squarespace in 2023, and Gandi was sold the same year to Total Webhosting Solutions, then nearly doubled prices and lost the trust of long-time users. NS1 was acquired by IBM, becoming part of enterprise DNS hosting, and OpenDNS, absorbed by Cisco long ago, has drifted further from being a free consumer resolver.

This article surveys more than 10 registrars, 7 public resolvers, enterprise DNS like AWS Route 53 and NS1, IaC tools like dnscontrol and Octodns, DNSSEC adoption, and local realities in Korea (Whois, Gabia, KISA) and Japan (Onamae, Muumuu, Value Domain).

1. The 2026 Domain & DNS Map — Four Camps

Running a domain actually splits into four independent decisions.

1. Registrar — Has ICANN accreditation and registers ownership at the registry. For .com it is Verisign, .net also Verisign, .org is PIR. Registrars take domains wholesale from these registries and sell to users. Cloudflare Registrar, Porkbun, Namecheap, Spaceship, NameSilo, Hover, Hostinger, GoDaddy, Squarespace Domains, Gandi, etc.

2. Authoritative DNS hosting — Runs the nameservers that actually hold records for a domain. You can use the registrar's default DNS, but separating is common. Cloudflare DNS, AWS Route 53, NS1 (IBM), DNSimple, deSEC, Bunny DNS, ClouDNS, etc.

3. Public resolver — What your device or network asks "what is example.com?" Explicitly specifying one instead of the ISP default has become the trend. Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9, OpenDNS, AdGuard DNS, NextDNS, ControlD.

4. DNS-as-Code (IaC) — Define records in yaml/JS, keep in git, deploy via CI. dnscontrol (Stack Exchange), Octodns (GitHub), Pulumi DNS, Terraform DNS providers.

In the 2010s, putting items 1 through 3 in one place was normal. In 2026, separation is the default. Registration with Cloudflare Registrar at cost, authoritative DNS at the same Cloudflare or Route 53, client resolver at 1.1.1.1 or NextDNS, changes via dnscontrol git workflow. The reason for not trusting all four to one company is simple — even if one breaks, the rest must remain alive so the domain does not die.

Separating registration and DNS is especially safe. If the registrar also holds DNS and your account gets locked, the site disappears entirely in that moment. If DNS is at another company, traffic flows even if the registrar has an incident (as long as expiry is not approaching).

2. Cloudflare Registrar — The At-Cost Standard

Cloudflare Registrar has had one promise since its 2018 launch. Zero margin. They sell at registry wholesale plus only the ICANN fee (18 cents each). If .com wholesale is 9.59,theuserpays9.59, the user pays 9.77. Renewal at the same price. WHOIS privacy free, lock free, DNSSEC free.

Two conditions. (1) You must use Cloudflare DNS. Registering only and putting DNS elsewhere is not allowed. (2) Only some TLDs are supported — about 100 popular TLDs including .com .net .org .io .dev .app. Some like .ai, .me, .co were added late, and ccTLDs like Korea's .kr or Japan's .jp are not yet supported.

Pros.

  • At-cost pricing. .com about 9.77/yr,.netabout9.77/yr, .net about 11.x, .org about $9.x. 25 to 40 percent cheaper than market average.
  • Renewal price equals first-year price. No trick of cheap first year, double on renewal.
  • WHOIS privacy free. Porkbun and Gandi also free, but many registrars charge separately.
  • Plus one extra year on transfer in, free. Standard per ICANN policy, but some registrars charge.
  • One-click DNSSEC. Automatic KSK management.

Cons / constraints.

  • DNS locked to Cloudflare. If you want to use Route 53 or NS1, go to another registrar.
  • TLD coverage is narrow. ccTLDs like .kr, .jp, .de need a separate registrar.
  • Transfer-in only for most; new registration limited to some TLDs. Available new-registration TLDs keep growing but are still limited.
  • Customer support is chat/ticket only. No phone support.

Practical flow.

1) Add the domain bought elsewhere (e.g., GoDaddy) to Cloudflare and move DNS first
2) Unlock WHOIS and transfer lock, get EPP/Auth code
3) Cloudflare dashboard -> Domain Registration -> Transfer Domains
4) Enter Auth code, one-year renewal auto-added, pay
5) Transfer completes in 5 to 7 days

New registration is also possible in the same dashboard via "Register Domains" for supported TLDs.

The reason Cloudflare Registrar became the de-facto standard in 2026 is clear — price war is meaningless. How do you sell cheaper than zero margin? Other registrars compete on value beyond price (customer support, DNS features, add-on product bundles).

3. Porkbun — Value + Free WHOIS Privacy

Porkbun is a US registrar launched in 2014 that earned the reputation in the 2020s of being "the next cheapest after Cloudflare Registrar, with broad ccTLD support."

Approximate prices in 2026.

  • .com: new 9.13,renewal9.13, renewal 11.x
  • .dev: about $17
  • .io: about $45 (.io has kept rising since 2024)
  • .me: about $13

Features.

  • WHOIS privacy permanently free. Not an option, it is the default.
  • DNSSEC free, URL forwarding free, email forwarding free.
  • Free SSL (SSL.com) — Useful in environments not using Let's Encrypt.
  • Clean API. Both dnscontrol and Octodns support it officially.
  • 600+ TLD support — Contrast with Cloudflare Registrar's roughly 100.
  • Email hosting option — Roughly $4/month per domain for IMAP/SMTP boxes.

Pros.

  • Manage TLDs Cloudflare does not handle (.ai, .me, .co, partial .kr) in the same account.
  • DNS is run in-house with rich features — ALIAS records, URL forwarding, email forwarding.
  • Various payment methods — card, PayPal, crypto (BTC/LTC).

Cons.

  • .com new is slightly more expensive than Cloudflare — margin is not zero.
  • Renewal price is higher than new — not flat like Cloudflare.
  • No Korean / Japanese UI, English only.

The reason Porkbun is attractive to indie developers boils down to one thing. "You can buy almost all TLDs from one registrar at similar prices, with free WHOIS, DNSSEC, and email forwarding bundled." Cloudflare Registrar locks DNS, but Porkbun does not, so you can move authoritative DNS to Cloudflare or Route 53 separately.

4. Namecheap + Spaceship — Longtime Favorite and New Brand

Namecheap, founded in 2000, was the most recommended GoDaddy alternative in the 2010s. The frequent question "is Namecheap actually cheap?" has the answer first year cheap, renewal average.

Approximate prices.

  • .com new: about 6(onpromotion),renewalabout6 (on promotion), renewal about 14
  • WHOIS privacy: free (since 2016)
  • DNSSEC: free
  • SSL: sold separately (PositiveSSL etc.)

Pros.

  • Familiar UI with lots of Korean-user guides.
  • Broad ccTLD coverage — .uk, .de, .es, etc.
  • Rich add-ons: hosting, email, VPN.
  • 24/7 chat support.

Cons.

  • Renewal often more than 2x of new price — be prepared to switch every 1 to 2 years.
  • Strong upsell on add-ons — SSL/backup/privacy may auto-add at checkout if you do not deselect.
  • DNS is built-in but features are average — power users use Cloudflare DNS separately.

Spaceship — Namecheap's New Brand

In 2023, Namecheap launched a new brand called Spaceship. Same company but separate infrastructure / UI / pricing policy, aimed at a younger, more developer-friendly position.

  • Pricing is similar to or slightly cheaper than Namecheap.
  • Fresh, clean UI — abandons Namecheap's legacy menu structure.
  • WHOIS privacy free, DNSSEC free.
  • Emphasizes its own DNS (Spaceship DNS) — Anycast network.
  • Integrates email, hosting, AI domain suggestions.

Reviews are mixed. Spaceship looks like "a new start solving Namecheap's old UX issues," but doubts remain about whether it is truly a separate company since the backend is Namecheap. Many people register new at Spaceship while leaving existing domains at Namecheap.

5. Gandi — TWS Acquisition (2023) Price Controversy

Gandi, founded in 1999 in France, was long beloved by European developers. "No Bullshit" slogan, free SSL, two free mailboxes, clean UI, friendly support — not cheap, but trusted.

In August 2023, Gandi was sold to Total Webhosting Solutions (TWS, Netherlands). The sale itself is common, but events in the months that followed sparked fierce backlash.

  • TLD price hikes across the board — Popular TLDs like .com nearly doubled, some ccTLDs rose even more.
  • Previously free mailboxes became paid — Sudden notification to existing free mailbox holders.
  • SSL certificate policy changes.
  • Many reports of declining customer support quality.

The result was mass departure. Hundreds of "moving from Gandi" posts appeared on Hacker News, Reddit, and many developers moved to Porkbun, Cloudflare Registrar, or deSEC (German nonprofit). Some commented "suddenly forcing higher prices on long-loyal premium users was the decisive blow to trust."

In 2026, Gandi still operates and partially adjusted prices, but once-broken trust is hard to recover. "The Gandi lesson" — when a registrar changes hands, pricing policy changes. Options like prepaying five years are a shield, but after five years another company may run things.

Alternatives.

  • Move to Porkbun or Cloudflare Registrar.
  • European nonprofit preference: deSEC (Germany, free DNS hosting nonprofit), INWX (Germany, developer-friendly).
  • ccTLD specialists: best to keep a local registrar for each ccTLD.

6. Hover (Tucows) / NameSilo / Hostinger / GoDaddy

Hover (Tucows)

Tucows' retail brand. Slogan: "Fair pricing, no upsell." Average pricing (.com about $17 renewal) but distinguished by not pushing SSL/backup/privacy at checkout. WHOIS privacy free by default.

Pros: simplicity, stable company (Tucows is one of the larger ICANN-accredited registrars), clean UI.

Cons: more expensive than Cloudflare / Porkbun. Less appealing for new users.

NameSilo

Known for near-wholesale prices. .com stays around $9.x. WHOIS privacy free, but UI feels dated. Preferred by bulk domain holders (investors, SEO operators).

Hostinger

A hosting company doing registration as a side. Hosting bundles are very cheap — buying hosting + domain + SSL in a 1- to 2-year bundle is very affordable in year one. Renewals return to normal price. Appeals to non-developers wanting hosting and domain in one place.

GoDaddy

The largest registrar in the industry. Still holds the most domains in 2026. Mixed reputation — complex UI and strong upsell, but rich stability/support/tooling. Has a large general-public user share in Korea too.

Pros: largest TLD coverage, 24/7 phone support, many add-ons (website builder, etc.).

Cons: expensive renewal, aggressive checkout upsell, separate WHOIS privacy charge, history of political controversy (2012 SOPA support and ensuing boycott).

7. Squarespace Domains (Google Domains Acquisition 2023)

In June 2023, Google announced selling Google Domains to Squarespace. About 10 million domains were automatically transferred to Squarespace. Google Domains, operated since 2015, was loved for clean UI and reasonable pricing (single $12/year for .com).

The reason for the sale was not clearly disclosed, but industry observation was "Google trimming non-core services." Another cleanup following Stadia and Google Play Music.

Changes after the move to Squarespace.

  • UI change — Integrated into the general Squarespace dashboard from Google Domains' simple screen.
  • Pricing maintained initially — At least first-year renewal guaranteed at the same price (promise at sale time).
  • Some features missing — Some Google Domains features (specific DNS options, API, etc.) were missing initially but gradually added.
  • WHOIS privacy free, maintained.

Reviews.

  • Many Google Domains users took the migration opportunity and moved to Cloudflare Registrar, Porkbun.
  • Those who stayed leverage the integration with the Squarespace builder.
  • New Squarespace registrants choose it for the builder + hosting + domain bundle appeal.

"The end of Google Domains" was a big event. Even trusted companies can shut down services, and the policies of acquired companies become unpredictable. Together with the Gandi case, it became the basis for the maxim "do not put all domains in one place."

8. DNS Resolvers — Cloudflare 1.1.1.1 / Google 8.8.8.8 / Quad9 / OpenDNS

From here on the story is unrelated to registration. Resolvers are what your device or network asks "what is the IP for this domain?" The default is usually the ISP's resolver, but explicitly specifying another has become common.

ResolverAddressNotes
Cloudflare1.1.1.1 / 1.0.0.1Fastest, privacy-focused, DoH/DoT supported
Google8.8.8.8 / 8.8.4.4Very stable, best global coverage, Anycast
Quad99.9.9.9Malware-domain blocking, Swiss nonprofit, no logs
OpenDNS208.67.222.222Cisco-owned, family filter option, separate business version
AdGuard DNS94.140.14.14Ad / tracker blocking
NextDNSper-accountCustom blocklists, logs / dashboard
ControlDper-accountSame category, more powerful policy

Cloudflare 1.1.1.1

Launched 2018. Obtained 1.1.1.1 in partnership with APNIC. Consistently top in performance benchmarks. Supports both DoH (DNS over HTTPS) and DoT (DNS over TLS). Policy of logs kept 24 hours then deleted audited by KPMG. Family-protection variants exist (1.1.1.2 malware block, 1.1.1.3 malware + adult block).

Google 8.8.8.8

Launched 2009. Oldest public resolver. Largest Anycast network. Performance is consistent and stable, but privacy policy is less strict than Cloudflare (no full log-deletion promise). Works as a default anywhere.

Quad9 9.9.9.9

Launched 2017. Malware / phishing domain blocking resolver in partnership with IBM X-Force. Operated by Swiss nonprofit (Quad9 Foundation), keeps no logs. Blocking data based on threat intelligence from 18+ security companies. Slightly slower but suited to security-first environments.

OpenDNS

Originally launched 2005 as an independent company, acquired by Cisco in 2015. A free consumer version and paid Umbrella (enterprise) split. Family filter (FamilyShield: 208.67.222.123) is a strength. Updates for consumer features stagnated after Cisco acquisition.

AdGuard DNS

Specialized in ad / tracker blocking. Two modes — "Default" (ad / tracker block) and "Family Protection" (adding adult content blocking). Free public + paid premium (personal dashboard, stronger blocking).

9. Family DNS — NextDNS / ControlD / AdGuard

Among resolvers, the category that provides family / organizational filtering and dashboards. Adoption in homes / small offices grew rapidly through 2026.

NextDNS

Launched 2019, France. Each user / org creates their own resolver profile. Choose blocklists (EasyList, AdGuard, OISD, dozens more), domain whitelist / blacklist, force safe search, SafeSearch, parental controls (age-based category blocking). Realtime query logs in dashboard. Supports both DoH and DoT.

  • Free: 300k queries / month.
  • Pro: $19.90/year (unlimited, analytics retention).

ControlD

Launched 2020. Similar concept to NextDNS but policy controls are finer. Time-based policies (block social media during work hours), location-based policies (home / office), per-device policies. Their own IPv4 Anycast and BYOIP options.

  • Free tier exists, paid from about $30/year.
  • Business plans strong — MDM / SAML.

AdGuard DNS (Pro)

Paid dashboard version offered by AdGuard. Strong in ad-blocking. Integrated with the mobile app (AdGuard for Android/iOS) for system-wide ad blocking.

Family DNS Selection Guide

  • Ad / tracking blocking only: AdGuard DNS free or Cloudflare 1.1.1.1.
  • Child protection / forced safe search: OpenDNS FamilyShield or Cloudflare 1.1.1.3 (free), then NextDNS / ControlD (paid, fine control).
  • Small org / remote-worker management: NextDNS Pro or ControlD Business.

10. AWS Route 53 / NS1 (IBM) — Enterprise DNS Hosting

Authoritative DNS hosting in enterprise environments is a different market. Core requirements differ — Anycast global coverage, 99.999%+ SLA, traffic routing policies (geo / latency / weight), Health Checks, large zones (tens of thousands of records), API / Terraform integration.

AWS Route 53

AWS DNS service. Global Anycast network, 100% SLA announced (historically near zero downtime). Pricing about 0.50/monthperzone,0.50/month per zone, 0.40 per million queries.

Features.

  • Many routing policies — Simple, Weighted, Latency-based, Failover, Geolocation, Multi-Value Answer.
  • Health Checks — endpoint monitoring then auto-exclude from DNS response.
  • Alias records — point to ELB, CloudFront, S3, API Gateway without IPs (AWS internal integration).
  • Resolver as a separate product — for in-VPC DNS resolution.
  • Domain Registration — Route 53 also registers domains (price is average).

Standard choice for enterprises. The integration with AWS infra is powerful, so nearly every company running on AWS uses Route 53.

NS1 (IBM)

Originally NS1 was a leader in traffic routing. Data-driven DNS — combining RUM, external monitoring, and internal metrics to return the best IP per user. IBM acquired in 2022, then integrated as the IBM NS1 Connect brand.

Pros.

  • Filter Chain — a very powerful response-decision policy pipeline.
  • Pulsar RUM — JS snippet to measure real user latency then feed into DNS decisions.
  • Multi-CDN usage — distribute traffic across Akamai / Cloudflare / Fastly via DNS.

Cons.

  • Expensive. Enterprise pricing.
  • Less marketing to general developers after IBM acquisition.

As alternatives, DNSimple, Bunny DNS, ClouDNS, Constellix target the mid-market. deSEC is a nonprofit offering free DNS hosting (Germany).

11. DNSSEC Adoption in 2026

DNSSEC (DNS Security Extensions) is a standard for signing DNS responses to prevent tampering. First RFC in 1997, root zone signed in the 2010s, but adoption stayed low for a long time.

In 2026.

  • TLD-level adoption is nearly 100% — all major TLDs support DNSSEC.
  • Domain-level adoption is about 5 to 10% (varies by TLD, places like .se exceed 60%).
  • Resolver-side validation is 30%+ — major public resolvers (Cloudflare, Google, Quad9) all validate.

Barriers.

  1. Key management is complex — KSK rollover, ZSK rollover, DS record registration.
  2. Misconfiguration takes the whole domain down — signature expiry, algorithm mismatch.
  3. Insufficient CDN / Cloud DNS automation — Cloudflare is one click, others manual.
  4. Low awareness — general developers do not feel the need.

Recommendations.

  • When using Cloudflare DNS / Route 53: turn it on with one click. KSK auto-managed.
  • Self-operated DNS: use OpenDNSSEC with BIND or NSD, automated key rollover.
  • DS record at the registrar is required — enter DS or DNSKEY in the registrar page.

DNSSEC alone does not block every attack. DoH/DoT (transport encryption), DANE/TLSA (cert pinning), and CAA records (cert-issuance restriction) need to come along for completeness.

12. DNS as Code — dnscontrol / Octodns / Pulumi DNS

The era of touching records by hand in a GUI is over. The flow of keeping DNS records in git, deploying via CI after PR review has been standard since the mid-2020s.

dnscontrol (Stack Exchange)

A tool Stack Exchange built for its own DNS operations. Records expressed in a JavaScript DSL.

var REG_NONE = NewRegistrar('none')
var DNS_CF = NewDnsProvider('cloudflare')

D(
  'example.com',
  REG_NONE,
  DnsProvider(DNS_CF),
  A('@', '192.0.2.1'),
  CNAME('www', '@'),
  MX('@', 10, 'mx1.example.com.'),
  TXT('@', 'v=spf1 include:_spf.google.com ~all')
)

dnscontrol preview   # preview changes
dnscontrol push      # apply

Supported providers: Cloudflare, Route 53, NS1, Google Cloud DNS, Azure, GoDaddy, Namecheap, DigitalOcean, Hetzner, Linode, Vultr, deSEC, Porkbun, and 40+ more.

Pros: multi-provider — deploy the same zone to two places at once (Cloudflare + Route 53). Active-Active DNS operations.

Octodns (GitHub)

A tool GitHub built for its zone management. Records defined in YAML.

# example.com.yaml
'':
  - type: A
    value: 192.0.2.1
www:
  - type: CNAME
    value: example.com.
'@':
  - type: MX
    values:
      - { preference: 10, exchange: mx1.example.com. }

octodns-sync --config-file config.yaml --doit

Supported providers: Cloudflare, Route 53, Azure, NS1, Constellix, DNSimple, DigitalOcean, Google Cloud DNS, OVH, PowerDNS, Hetzner, deSEC, dnsimple, and more.

Difference from dnscontrol: YAML declaration is cleaner for code review, and multi-provider support is strong, but dnscontrol's DSL is more expressive.

Pulumi DNS / Terraform DNS

General-purpose IaC tools' DNS modules. The advantage is managing in the same code as infrastructure. The downside is weaker DNS-specific niceties (multi-provider sync deploy, equivalence comparison).

Who Uses What

  • Small (~10 zones): dnscontrol — one file, clear.
  • Mid to large (dozens to hundreds of zones): Octodns — YAML is friendly to automation / validation.
  • Teams already on Terraform / Pulumi: integrate there.

13. New gTLD Explosion — .dev / .ai / .io Get Expensive

ICANN's 2012 new gTLD program launched over 1,000 new TLDs including .app, .dev, .blog, .shop. Most started cheap, but several rose sharply after 2024.

.ai — AI Boom Beneficiary

.ai is the ccTLD of Anguilla (British Caribbean island). Demand exploded with the AI boom, prices rose. About 80in2024,about80 in 2024, about 100 to $150 in 2026 (varies by registrar). Reports say the Anguilla government earns one-third of GDP just from .ai license revenue.

.io — British Indian Ocean Territory (similar trajectory to .ai)

Loved by startups / developers. From about 40in2024toabout40 in 2024 to **about 50 to $70 in 2026**. There are political issues too — the UK's decision to cede the Chagos Islands to Mauritius could affect .io's future (possibility of IANA retiring the ccTLD).

.dev — Operated by Google

A gTLD Google operates. All .dev domains are HSTS-preload enforced (HTTPS required). Pricing is stable at about $17/year. Popular for developer projects hosting.

.app — Also Google, HSTS-preload enforced

Popular for mobile app pages. Pricing around $20/year.

.com — Still the Standard

Operated by Verisign. Wholesale pricing rises periodically per the agreement with ICANN (capped at 7% per year). About $10 wholesale in 2026. At this price it is cheaper than many new gTLDs.

Cautions When Using New gTLDs

  • Renewal price often skyrockets over the first year — verify multi-year pricing before registering.
  • Some TLDs weakly recognized in email / link auto-detection — some messengers / email clients fail to detect .blog, .name etc. as links.
  • Registry risk — some new gTLDs have small operating companies, with possibility of retirement / transfer.

14. Korea — Whois, Gabia, KISA

Special features of the Korean domain market.

.kr Domain

KISA (Korea Internet & Security Agency) runs the .kr registry. All .kr domains can only be registered through KISA-certified Korean registrars — foreign registrars (Cloudflare, Porkbun, etc.) cannot directly sell .kr (some offer it via reseller).

Major Korean registrars.

  • Whois — Korean native, broad coverage from .kr to general gTLDs. Classic UI.
  • Gabia — Korea's number one domain / hosting company. Integrates domain, hosting, email, cloud.
  • Cafe24, dot Name Korea, iNames — hosting companies that also do registration.
  • Megazone — cloud-focused.

.kr Policy

  • Foreigners may register, no Korean residency required.
  • Stricter WHOIS information disclosure than other TLDs (limited options to hide some info).
  • Dispute resolution by KISA's dispute resolution committee.

When Buying Domains in Korea

  • .kr / .han-guk: Korean registrar required (Gabia / Whois recommended).
  • .com / overseas gTLDs: Korean registrars also sell but more expensive than overseas, so Cloudflare / Porkbun is better.
  • Payment: Korean registrars accept card / bank transfer / no-bankbook, overseas registrars accept card / PayPal.

KISA's Role

  • Operates the .kr registry.
  • Cybersecurity policy (Korea Internet & Security Agency).
  • KRcert (Korea CERT) — response to DNS-related cyber incidents.

DNS Hosting

Large sites typically use Cloudflare DNS or Route 53 directly. Korean native DNS hosting services exist, but global services dominate in global Anycast coverage.

15. Japan — Onamae / Muumuu / Value Domain

The landscape of the Japanese domain market.

.jp Domain

JPRS (Japan Registry Services) operates the .jp registry. .co.jp (corporation), .ne.jp (network), .or.jp (nonprofit), .ac.jp (education), .go.jp (government) — segmented second-level domains are a feature.

Major Japanese Registrars

  • Onamae.com — Operated by GMO group, Japan's number one registrar. Rich from .jp through all gTLDs. UI is mainly Japanese, some English.
  • Muumuu Domain — A subsidiary of GMO Pepabo, popular with individuals / small users. Reasonable price, familiar UI.
  • Value Domain — GMO group, popular with developer / tech users. Rich DNS features.
  • Sakura Internet — Hosting company that also offers .jp registration.

The GMO group effectively oligopolizes the Japanese domain market. Pricing is slightly higher than overseas registrars (Porkbun, Cloudflare), but .jp registration is procedurally easier via a Japanese registrar.

.jp Policy

  • Both Latin and Kanji possible (e.g., nihon.jp in Kanji).
  • co.jp can only be registered by Japanese corporations, with company-registration info verified.
  • WHOIS info is relatively strictly disclosed.

When Buying Domains in Japan

  • .jp, .co.jp: Japanese registrar required (Onamae or Muumuu).
  • .com / gTLDs: Overseas registrars (Cloudflare / Porkbun) better on price.
  • Payment: card, bank transfer, convenience store, even mobile-carrier billing — many options.

Japan's DNS / Security Trends

  • JPRS operates .jp DNSSEC signing, adoption growing gradually.
  • JPCERT/CC handles DNS-related security incidents.
  • Large enterprises / telcos run their own authoritative DNS, SMBs use registrar default DNS or Cloudflare / Route 53.

16. Who Should Choose What — Scenario-Based Recommendations

Let us group the tools by scenario.

Indie Developer, 1 to 3 Domains

  • Registration: Cloudflare Registrar (if TLD supported) or Porkbun.
  • Authoritative DNS: registrar default (Cloudflare DNS / Porkbun DNS).
  • Public resolver: Cloudflare 1.1.1.1 or Quad9.
  • IaC: GUI is fine for 1 domain, dnscontrol worth adopting from 3.

Startup, 5 to 20 Domains

  • Registration: Cloudflare Registrar + Porkbun (to cover TLDs).
  • Authoritative DNS: Cloudflare DNS (integrate with CDN/WAF) or Route 53 (AWS infra).
  • Public resolver: in-house NextDNS Pro (dashboard / control) or Cloudflare.
  • IaC: dnscontrol — git workflow essential.

Mid-Size Company, Dozens to Hundreds of Domains

  • Registration: consolidate to one or two registrars (Cloudflare Registrar + regional ccTLD registrar).
  • Authoritative DNS: Route 53 or NS1 (if traffic routing needed).
  • DNS-as-Code: Octodns or Terraform DNS module, CI/CD integration.
  • DNSSEC: enable on all domains.
  • Monitoring: DNS Spy, RIPE Atlas for external visibility.

Family / Home (Child Protection)

  • Public resolver: NextDNS or ControlD family plan.
  • Apply via router to cover all devices at home.
  • AdGuard DNS: alongside for ad blocking.

Privacy Obsessed

  • Registration: Njalla (Anguilla-based, privacy-focused) or deSEC.
  • WHOIS: unconditionally hidden (most registrars provide free).
  • Public resolver: Quad9 (no logs, Swiss nonprofit) or AdGuard DoH.
  • DoH/DoT: force DoH in browser / OS (Cloudflare WARP, etc.).

Politically Risky Content

  • Registration: ccTLDs with low censorship risk (.ch, .is, .me, etc.), registrars insensitive to political pressure.
  • DNS: distributed system — registration and DNS at different companies, authoritative DNS multi-provider.
  • Backup domain secured in advance.

17. Frequently Asked Operational Questions

Q. Does moving registrars take the site down?

A. No. Registrar transfer only moves the ownership record, traffic flows if authoritative DNS stays. But if you move authoritative DNS together when changing registrars, misconfiguration can cause downtime. The order should be: DNS transfer, stabilize for a few days, then registrar transfer.

Q. Should WHOIS privacy always be on?

A. For general users, yes. You become a target of spam / phishing / social engineering. However, some ccTLDs (like .us) restrict WHOIS privacy.

Q. What is Transfer Lock?

A. An anti-hijacking device. When on, separate unlock is needed for transfer to another registrar. Keep it on normally, turn off only during transfer.

Q. What is the EPP / Auth code?

A. Authentication code needed during domain transfer. Get it from the current registrar, input at the new registrar. Must be used within a few days of issuance.

Q. How long is the recovery window after domain expiry?

A. Per ICANN policy, 30 days grace period (renewal at normal price), then 30 to 80 days redemption period (fee about 100to100 to 200), then release. Auto-renewal and payment-method backup are safe.

Q. How long does DNS change take to propagate (TTL)?

A. Depends on the TTL value of the record. Default is usually 300 to 3,600 seconds. Lowering TTL to 60 seconds just before change propagates faster.

Q. How do multi-provider DNS (two providers running simultaneously)?

A. Register both companies' nameservers together in the registrar NS settings, then sync-deploy the same zone to both via dnscontrol / Octodns. If one goes down, the other answers.

Q. .ai got suddenly expensive, what to do?

A. Anguilla government's pricing policy change plus rising demand. Lock with multi-year payment just before renewal, or consider alternative TLDs (.dev, .app).

Closing — Separation, Automation, Backup

If we sum up domain and DNS best practice in 2026 in one line — separate, automate, back up.

  • Separate — registration and authoritative DNS at different companies. Registration with Cloudflare Registrar / Porkbun, DNS with Route 53 / Cloudflare DNS / NS1.
  • Automate — keep DNS records in git, deploy via dnscontrol or Octodns. PR review, CI validation.
  • Back up — backup payment card, second admin account, expiry alerts at 90/60/30/15/3 days in multiple tiers.

Gandi raising prices, Google Domains being sold, NS1 being acquired by IBM — all teach the same lesson. Companies change. Policies change. If you put everything in one place, when that company changes your entire infra shakes.

There is no guarantee Cloudflare Registrar's at-cost prices will last forever. Still, if you run a separated structure, even if the registrar changes DNS lives on, even if DNS provider changes the registrar stays, even if a resolver is blocked you can pivot to another resolver. This layered defense is the core of domain operations in 2026.

References

Discuss on TwitterView on GitHub