aigw
← Back

Migrate from Hetzner DNS to aigw

Hetzner DNS Console is free but unmanaged. If you've outgrown it, here's the move. Domain registration stays wherever it is, only DNS hosting moves.

Why people leave Hetzner DNS

Hetzner DNS Console is genuinely fine for plain zones. The reasons to leave usually come down to one of:

  • You want failover, weighted, or geo routing. Hetzner is plain authoritative; no GSLB.
  • You want query analytics, top names, country breakdowns, latency percentiles. Hetzner shows you zone metadata and that's it.
  • You want hijack monitoring, query firewalls, or per-API-key IP restrictions.
  • You're consolidating providers and want a real status page + support that isn't shared with their VM business.

If none of those apply, free Hetzner DNS is hard to beat. If at least one does, read on.

Step 1: Export your zone

Hetzner DNS Console has a real zonefile export, one of its nicer features.

  1. Log in to dns.hetzner.com.
  2. Click your zone → top right → Export Zone File.
  3. You get a standard BIND zonefile ($ORIGIN example.com. at the top, one record per line). Save it locally, you'll paste from this in step 3.

If you'd rather use the API: curl -H "Auth-API-Token: $TOKEN" https://dns.hetzner.com/api/v1/zones/$ZONE_ID/export returns the same zonefile.

Step 2: Lower NS TTL at Hetzner (T-1 day)

Hetzner publishes apex NS records with a default TTL of 86400 (1 day). You can edit it in the console: Hetzner zone → NS records (the apex ones, type NS) → set TTL to 300 → Save.

Wait at least 24h after lowering NS TTL before doing the cutover. Resolvers that cached the old 1-day TTL need that time to expire.

Step 3: Build the parallel zone in aigw

Sign in to console.aigw.app → New zone → enter your domain. Then for each record in the Hetzner zonefile, create the matching record in aigw with the same value and TTL. Skip the apex NS records, aigw publishes ns1/ns2.aigw.app automatically.

For larger zones, the aigw Terraform provider can read your records from variables or generate them from a BIND zonefile via named-checkzone. Faster than clicking through 50 records.

Step 4: Verify both providers agree

Hetzner's nameservers are hydrogen.ns.hetzner.com, oxygen.ns.hetzner.com, helium.ns.hetzner.de. 

# Hetzner
dig @hydrogen.ns.hetzner.com www.example.com A

# aigw
dig @ns1.aigw.app www.example.com A

Answers should match. Fix any drift in the aigw zone before proceeding.

Step 5: Flip the registrar

Hetzner DNS Console is not a registrar, your domain lives somewhere else (IONOS, Namecheap, Porkbun, GoDaddy, etc.). Go to that registrar, find the nameserver settings for your domain, and change them to: 

ns1.aigw.app
ns2.aigw.app

With the short NS TTL set in step 2, propagation to public resolvers takes 30–60 min. The aigw workspace shows the zone going Active on first real query.

Step 6: Decommission Hetzner

Wait 48h. Check the Hetzner DNS Console, its query graph should show traffic dropping to near-zero. Once it's quiet, delete the Hetzner zone (or leave it; it's free).

Questions or stuck?

Email hello@aigw.app. Usually responds within a day.