Security
Nameservers & Domain Verification
Edge DNS uses unique nameserver pairs per account to ensure only you can add and manage your domains.
The Domain Ownership Problem
Traditional DNS services use shared nameservers (e.g., ns1.provider.com).
This creates a security risk: anyone could potentially add your domain to their account
if they know you're using the same provider.
Without Unique Nameservers
An attacker could add your domain to their account and intercept your traffic, read your emails, or issue fraudulent SSL certificates.
Edge's Unique Nameserver Solution
Every Edge account is assigned a unique pair of nameservers. When you add a domain, we verify that the domain's NS records point to your specific nameservers before activating the zone.
Your Unique Nameservers:
ns1-{your-id}.edge.network ns2-{your-id}.edge.network
The {your-id} portion is a unique
6-character identifier assigned to your account.
Cryptographic Binding
Your unique nameserver pair creates a cryptographic binding between your account and your domains. No one else can use your nameservers, and no one else can add domains using your nameservers.
How Verification Works
You add a domain
Enter your domain name in the Edge console. The zone is created in "pending" status.
Update your registrar
Change your domain's nameservers at your registrar to your unique Edge nameservers.
We verify ownership
When you click "Verify", we query the public DNS for your domain's NS records using DNS-over-HTTPS for fresh, uncached results.
Zone activated
If both your nameservers are present in the response, your zone is instantly activated and begins serving DNS queries.
Technical Details
Verification Process
-
Uses Cloudflare DNS-over-HTTPS (1.1.1.1) for fresh lookups -
Falls back to system resolver if DoH is unavailable -
Requires both nameservers to be present -
Case-insensitive comparison
# Check your domain's current nameservers
dig NS example.com +short
# Expected output (your unique pair):
ns1-abc123.edge.network.
ns2-abc123.edge.network.Infrastructure: Wildcard DNS
To support the unique nameserver system at scale, Edge uses a wildcard DNS record for all nameserver subdomains:
# In edge.network zone:
*.edge.network. 300 IN A 185.x.x.x
*.edge.network. 300 IN A 185.x.x.y
This means any ns1-*.edge.network
or ns2-*.edge.network hostname
automatically resolves to Edge's DNS servers. No per-customer DNS management required.
Security Benefits
Prevents Domain Hijacking
No one can add your domain to their account because they don't have your unique nameservers.
Proof of Control
Updating nameservers requires access to your domain registrar, proving you control the domain.
Audit Trail
The unique identifier in your nameservers provides an audit trail linking domains to accounts.
Instant Verification
No waiting for TXT record propagation or email verification - just update NS and verify.
Frequently Asked Questions
Can I use the same nameservers for all my domains?
Yes! Your unique nameserver pair is assigned to your account, not to individual domains. Use the same nameservers for all domains in your Edge account.
What if verification keeps failing?
DNS propagation can take up to 48 hours. Wait a few hours and try again. If issues persist, ensure your registrar shows the correct nameservers with no typos.
Can I regenerate my nameservers?
Currently, nameserver pairs are permanent. Contact support if you believe your nameservers have been compromised.
Why two nameservers?
DNS best practices require at least two nameservers for redundancy. Both resolve to Edge's anycast network but provide failover if one is unreachable.