Multi-cloud failover, canary releases, managed TLS, per-zone insights. Terraform-first. Flat pricing. Apps in AWS, GCP, Azure, or your own colo. DNS shouldn't care which.
No signup, no card: paste any hostname and Check any hostname free: DNS, TLS, security, latency, scored in seconds.
Issue and auto-renew Let's Encrypt certificates over DNS-01 right where you run your DNS. No certbot, no second dashboard.
Every zone, record, pool, and policy is a REST call, a Terraform resource, and a CLI command. Review DNS in a PR; fail the build if it does not resolve.
Health-checked pools fail over across AWS, GCP, Azure, or your own metal before a customer ever notices the outage.
Per-zone insights (top names, country mix, latency percentiles, refused-query reasons) with sub-second propagation worldwide.
A CANARY record ramps the split on a schedule. Roll back by reverting one change.
Terraform-native. Manage zones and records in HCL, and fail the apply if DNS doesn't actually resolve to what you declared.
resource "aigw_record" "api" {
zone_id = aigw_zone.acme.id
name = "api"
type = "A"
ttl = 60
value = "203.0.113.10"
}
resource "aigw_test_query" "api_resolves" {
hostname = "api.acme.com"
record_type = "A"
expected_values = ["203.0.113.10"]
depends_on = [aigw_record.api]
} Top names, country mix, latency percentiles, refused-query reasons. Per zone, included in every plan. No log shipping, no separate billing.
Refuse queries by source IP, country, or type. Stops ANY/AXFR amplification. Locks internal zones to corp ranges. Per zone, no WAF required.
Manage your TLS where you manage your DNS, the best of both worlds. Because aigw runs both, it can do something a standalone CA can't: tell you exactly which names are exposed without TLS, and fix them.
Let's Encrypt certificates over DNS-01. No certbot, no manual TXT records. The private key is generated in your browser (or locally by the CLI) and never reaches us.
Every cert is tracked and renewed before it expires, with alerts at 30/14/7 days through your existing Slack/webhook/email channels. No 2 a.m. expiry pages.
The coverage detector lists every name that resolves to a public IP but has no covering certificate, the blind spot you only otherwise discover in production.
A single Terraform provider for zones, records, GSLB pools, health monitors, security policies, notification channels, and TLS certs. No second cert-issuance provider, no DNS-01 wiring, no out-of-band ACME runner.
terraform {
required_providers {
aigw = {
source = "doon-io/aigw"
version = "~> 0.1"
}
}
}
resource "aigw_zone" "acme" {
name = "acme.com"
}
resource "aigw_pool" "api" {
name = "api-backends"
selection_method = "weighted"
}
resource "aigw_record" "api" {
zone_id = aigw_zone.acme.id
name = "api"
type = "POOL"
ttl = 60
pool_id = aigw_pool.api.id
}
resource "aigw_cert" "api" {
names = ["api.acme.com"]
}Zones, records, and the GSLB pool serving traffic on top of them in one apply.
Issue and renew TLS certs in the same plan as the records they cover. aigw solves DNS-01 against the zone it already owns.
Drift detection is real: it compares what aigw is actually serving, not what a registry thinks it ought to be.
Which routing is in the box. How fast changes propagate. How many line items end up on the invoice.
| aigw | Cloudflare DNS | Route 53 | NS1 | |
|---|---|---|---|---|
| Failover (active-passive pool) | Included | Load Balancer add-on | Health checks ($) | Included (Pro+) |
| Weighted pool | Included | Load Balancer add-on | Included | Included (Pro+) |
| Geo routing | Included | Load Balancer add-on | Included | Included (Pro+) |
| Canary record (timed ramp) | Included | No | No | No |
| Real-time propagation | Sub-second | ~Seconds | ~60s | ~Seconds |
| Live-dig from UI | Yes | No | No | No |
| Webhook on flap | Signed HMAC | Via Workers | Via CloudWatch + SNS | Yes |
| All GSLB routing on the starter paid plan | $29 / mo | Load Balancer plan | Pay per record + health check | Pro tier |
Last reviewed May 2026. Pricing pages move; check theirs before deciding.
Paid plans get every GSLB routing type (failover, weighted, geo, canary) plus health checks. No add-ons.
Console, REST API, Terraform, CLI: same DNS, whichever you reach for. Records live in version control, applies fail if DNS doesn't resolve to what you declared, and any zone exports to a standard BIND file the day you ask. Adopt in minutes. No lock-in, ever.
Migrating from Route 53 or NS1, evaluating for a team, or just want product updates? Drop your email. A human replies, no drip-spam.
Your email, used to reply. Nothing else.
Not here? hello@aigw.app
Create the zone in aigw with the same records first. Lower your existing zone's TTL to ~60s a day in advance so resolvers refresh quickly. Then point your registrar's NS records to ns1.aigw.app and ns2.aigw.app. Both sets of nameservers serve identical answers during overlap; once the old TTLs expire, you're fully on aigw.
No. aigw honors whatever TTL you set per-record. Default is 300s. Go as low as 30s for fast failover or as high as a day for set-and-forget records. Record changes reach our edge in well under a second, so TTL only gates downstream resolvers, not us.
Yes. DNSSEC signing is one click on any zone. aigw uses ECDSA P-256 (algorithm 13) and signs online at the edge, so GSLB, GEO, CANARY, and ANAME answers all sign cleanly with no extra config. We publish the DS at the apex for you to copy into your registrar, run ZSK pre-publish rollovers automatically, and protect disables with a supervised flow that waits for the parent DS to actually leave caches before unsigning, so resolvers never see SERVFAIL. KSK rollover is wizard-guided (double-DS, RFC 6781 §4.1.2). See the DNSSEC docs for the full picture.
Yes. aigw is your authoritative DNS; the registrar just points at it. The only requirement is the ability to set custom NS records on your domain, and every registrar supports this. You keep your domain wherever it is.
Yes, use an ANAME record at the apex. aigw resolves the target hostname and serves the resulting A/AAAA addresses directly, so example.com can point at a load balancer DNS name that only publishes a hostname. Sub-domains can use a normal CNAME.