Vanity Nameservers

Available on: Elite

1. What This Feature Does

Vanity Nameservers replace the default CertaDNS nameserver hostnames (ns1.certadns.com and ns2.certadns.com) with custom-branded hostnames under your own domain (e.g., ns1.yourdomain.com and ns2.yourdomain.com). DNS queries still resolve through CertaDNS's authoritative infrastructure at IP addresses 178.156.201.123 and 51.75.73.198, but the nameserver hostnames display your branding instead of CertaDNS's.

This feature requires you to configure glue records at your domain registrar that map your custom nameserver hostnames to CertaDNS's fixed nameserver IP addresses. Once verified, you can apply the vanity nameservers to any of your managed DNS zones. The nameserver delegation is displayed in your zones and in public WHOIS lookups.

2. When You Should Use It

• You operate a white-label DNS service or resell DNS hosting under your own brand and need nameserver hostnames that reflect your business identity.
• You manage DNS for multiple client domains and want consistent, professional nameserver branding across all zones.
• You require nameserver hostnames that align with corporate branding requirements for enterprise DNS infrastructure.
• You want to mask the underlying DNS provider in public WHOIS records and DNS zone delegations.

3. When You Should Not Use It

• Standard DNS hosting: If you do not require branded nameservers, the default ns1.certadns.com and ns2.certadns.com provide identical functionality without additional configuration.
• Non-Elite plans: This feature is exclusive to Elite plans. Requests from Free, Plus, or Pro accounts return a 403 error. Upgrade to Elite to enable this feature.
• Domain registrar limitations: Some registrars do not support glue record configuration or restrict nameserver hostnames to specific formats. Verify your registrar supports glue records before proceeding.
• Multiple vanity configurations: Each user is limited to one active vanity nameserver configuration. To configure a different domain, delete the existing configuration first.

4. Prerequisites

• An active Elite plan subscription. Free, Plus, and Pro accounts cannot access this feature.
• A verified domain registered with a domain registrar that supports glue record (also called host record) configuration.
• Access to your domain registrar's control panel to add glue records mapping your custom nameserver hostnames to CertaDNS's IP addresses.
• At least one managed DNS zone in CertaDNS where you want to apply the vanity nameservers.

5. How It Works (Brief)

When you configure vanity nameservers, you provide a parent domain (e.g., example.com). CertaDNS generates two nameserver hostnames: ns1.example.com and ns2.example.com. The system creates a unique 32-byte verification token and places the configuration in a pending state.

You then create glue records at your domain registrar that map these hostnames to CertaDNS's authoritative nameserver IP addresses: ns1.example.com → 178.156.201.123 and ns2.example.com → 51.75.73.198. Glue records must be configured at the registrar level, not in the DNS zone itself, because they define the IP addresses of the nameservers responsible for the zone.

After adding the glue records, you trigger verification from the CertaDNS dashboard. The system performs DNS resolution queries to confirm that both nameserver hostnames resolve to the expected IP addresses. If verification succeeds, the vanity nameserver configuration becomes active. You can then apply the vanity nameservers to any of your managed zones. The zones' NS records are updated to reference your custom nameserver hostnames, and public DNS queries for those zones will see your branded nameservers in responses.

6. How to Use It

Setting up vanity nameservers

1. Navigate to Dashboard > DNS > Vanity Nameservers.
2. If you are on an Elite plan, the setup form is displayed. If you are on a lower plan, you will see a plan upgrade prompt with a 403 error.
3. In the setup form, enter the parent domain under which your nameservers will be created (e.g., example.com). The system will generate ns1.example.com and ns2.example.com.
4. Click Setup Vanity Nameservers.
5. The configuration is created in a pending verification state. A yellow banner appears displaying the glue record instructions.

Adding glue records at your registrar

1. After setup, the pending verification panel displays instructions for the two glue records you must add:
   • ns1.example.com → 178.156.201.123
   • ns2.example.com → 51.75.73.198
2. Log in to your domain registrar's control panel (the registrar where example.com is registered, not CertaDNS).
3. Locate the section for configuring nameservers, host records, or glue records. This section may be labeled "Nameserver Management", "Host Records", "Glue Records", or "Registered Nameservers". Consult your registrar's documentation if you cannot locate this section.
4. Add two glue records:
   • Hostname: ns1.example.com, IP Address: 178.156.201.123
   • Hostname: ns2.example.com, IP Address: 51.75.73.198
5. Save the glue records. Propagation to the public DNS typically occurs within a few minutes but may take up to 24 hours depending on your registrar.

Verifying glue records

1. After adding the glue records at your registrar, return to Dashboard > DNS > Vanity Nameservers in CertaDNS.
2. In the pending verification panel, click Verify Glue Records.
3. CertaDNS performs DNS resolution for both nameserver hostnames and checks that they resolve to the expected IP addresses.
4. If verification succeeds, the panel updates to display a green success banner confirming the vanity nameservers are active. The banner shows the count of zones currently using the vanity nameservers.
5. If verification fails, an error message appears indicating the failure reason:
   • not_found: One or both nameserver hostnames do not resolve in DNS. The glue records have not propagated or were not configured correctly.
   • incorrect_ips: The nameserver hostnames resolve to IP addresses that do not match 178.156.201.123 and 51.75.73.198.
6. If verification fails, review the glue record configuration at your registrar, wait for propagation, and retry verification.

Applying vanity nameservers to a zone

1. After vanity nameservers are active, navigate to Dashboard > DNS > Zones.
2. Select the zone where you want to apply the vanity nameservers.
3. In the zone settings, locate the nameserver configuration section.
4. Select Use Vanity Nameservers and confirm the application.
5. The zone's NS records are updated to reference your custom nameserver hostnames (ns1.example.com and ns2.example.com).
6. DNS queries for the zone will now return your branded nameservers in the authority section.

Deleting vanity nameserver configuration

1. Navigate to Dashboard > DNS > Vanity Nameservers.
2. In the active vanity nameservers panel, click Delete Configuration.
3. Confirm the deletion in the dialog. This action removes the vanity nameserver configuration from your account.
4. Any zones using the vanity nameservers are automatically reverted to the default CertaDNS nameservers (ns1.certadns.com and ns2.certadns.com).
5. The glue records at your registrar are no longer used by CertaDNS but remain configured at the registrar level. You may delete them manually if desired.

7. Inputs and Settings

Generated nameserver hostnames

The system automatically generates two nameserver hostnames by prepending ns1. and ns2. to the parent domain you provide. These hostnames are fixed and cannot be customized. If you require different nameserver prefixes (e.g., dns1, dns2), this feature does not support that configuration.

Glue record IP addresses

The IP addresses for the glue records are fixed and hardcoded. They correspond to CertaDNS's authoritative nameserver infrastructure:

These IP addresses cannot be changed. Glue records configured with different IP addresses will fail verification.

8. Outputs and Results

Verification status states

API response structure

The GET /vanity-ns/status endpoint returns:

{
  "status": "active",
  "parent_domain": "example.com",
  "ns1": "ns1.example.com",
  "ns2": "ns2.example.com",
  "ns1_ip": "178.156.201.123",
  "ns2_ip": "51.75.73.198",
  "verification_token": "a1b2c3d4e5f6...",
  "zones_using": 3,
  "created_at": "2025-01-15T10:30:00Z"
}

When no configuration exists, a 404 response is returned:

{
  "error": "No vanity nameservers configured"
}

Zone NS record updates

When vanity nameservers are applied to a zone, the zone's NS records are updated from:

example.net.  3600  IN  NS  ns1.certadns.com.
example.net.  3600  IN  NS  ns2.certadns.com.

to:

example.net.  3600  IN  NS  ns1.example.com.
example.net.  3600  IN  NS  ns2.example.com.

The IP addresses that serve the zone do not change. Only the nameserver hostnames visible in DNS responses are updated.

9. How to Interpret Results

Normal

• Vanity nameservers show "Active" status with a green banner. Zones using the vanity nameservers display the custom nameserver hostnames in their NS records.
• DNS queries for zones with vanity nameservers return your branded nameserver hostnames in the authority section of the response.
• Public WHOIS lookups for zones using vanity nameservers display your custom nameserver hostnames instead of ns1.certadns.com and ns2.certadns.com.

Unexpected or worth investigating

• Pending verification status persists: Glue records have not propagated to the public DNS or were configured incorrectly. Verify the glue records at your registrar and wait for propagation (up to 24 hours). Use dig or nslookup to query the nameserver hostnames directly and confirm they resolve to the expected IP addresses.
• Verification fails with "not_found": DNS resolution for one or both nameserver hostnames returned no results. The glue records are missing or not yet propagated. Confirm the glue records are configured at the registrar (not in the DNS zone).
• Verification fails with "incorrect_ips": The nameserver hostnames resolve to IP addresses that do not match 178.156.201.123 and 51.75.73.198. Review the glue record configuration and ensure the IP addresses are entered correctly.
• Zones show default nameservers after deletion: Deleting the vanity nameserver configuration reverts all zones to the default CertaDNS nameservers. This is expected behavior. Zones continue to resolve correctly.

Common interpretation mistakes

• Confusing glue records with DNS records: Glue records are configured at the domain registrar, not in the DNS zone file. Adding A records to the DNS zone does not satisfy the glue record requirement.
• Expecting instant propagation: After adding glue records at the registrar, DNS propagation can take up to 24 hours. Verification may fail if attempted before propagation completes.
• Assuming vanity NS changes the infrastructure: Vanity nameservers only change the nameserver hostnames visible in DNS responses. The underlying IP addresses and DNS infrastructure remain unchanged.

10. Common Issues and Explanations

"Elite plan required" (403 error)

This feature is exclusive to Elite plan subscribers. Free, Plus, and Pro accounts cannot access vanity nameservers. Upgrade to Elite to enable this feature. The dashboard displays a plan upgrade prompt with pricing information.

"Vanity nameservers already configured" error when setting up

Each user account is limited to one vanity nameserver configuration. To configure a different parent domain, delete the existing configuration first using the "Delete Configuration" button in the active vanity nameservers panel, then create a new configuration.

Verification fails with "not_found" error

The nameserver hostnames do not resolve in DNS. This indicates the glue records have not been added at the registrar or have not propagated to the public DNS. Verify the glue records are configured correctly at your domain registrar (not in the DNS zone). Wait up to 24 hours for propagation. Use dig ns1.example.com and dig ns2.example.com to test resolution independently.

Verification fails with "incorrect_ips" error

The nameserver hostnames resolve to IP addresses that do not match the required values (178.156.201.123 and 51.75.73.198). Review the glue record configuration at your registrar and ensure the IP addresses are entered exactly as specified. Some registrars require separate A records in the DNS zone in addition to glue records; consult your registrar's documentation.

"No vanity nameservers configured" (404 error) when applying to zone

You must configure and verify vanity nameservers before applying them to zones. Navigate to Dashboard > DNS > Vanity Nameservers and complete the setup and verification process first.

Glue records configured but verification still fails

DNS propagation can take up to 24 hours. Wait longer and retry verification. If the issue persists, verify you configured glue records (also called host records or registered nameservers) at the registrar, not A records in the DNS zone. Query the nameserver hostnames using a third-party DNS lookup tool to confirm they resolve to the correct IP addresses from external resolvers.

Registrar does not support glue records

Some domain registrars do not provide an interface for configuring glue records or restrict glue records to specific configurations. Contact your registrar's support team to confirm glue record support. If your registrar does not support glue records, transfer the domain to a registrar that does (e.g., Cloudflare, Namecheap, GoDaddy).

"Failed to update zone" (500 error) when applying vanity nameservers

An internal error occurred while updating the zone's NS records. Retry the operation. If the error persists, contact CertaDNS support with the zone name and error details.

11. Limits and Constraints

• You cannot configure vanity nameservers with custom prefixes (e.g., dns1, dns2). The system always generates ns1 and ns2 hostnames.
• You cannot specify custom IP addresses for the glue records. The IP addresses 178.156.201.123 and 51.75.73.198 are fixed and cannot be changed.
• Deleting the vanity nameserver configuration reverts all zones using it back to the default CertaDNS nameservers immediately. This action cannot be undone.
• The parent domain must be registered with a domain registrar that supports glue record configuration. Some registrars do not provide this functionality.
• Vanity nameservers can only be applied to managed DNS zones hosted in CertaDNS. They cannot be used with external zones or zones hosted with other providers.

12. Related Features

• Managed DNS Zones — Import and manage DNS zones where vanity nameservers can be applied.
• Dynamic DNS Domains — DDNS domains created within zones using vanity nameservers will resolve through the branded nameserver infrastructure.
• SSL Certificates — Certificates issued for domains hosted on zones using vanity nameservers continue to validate correctly.
• DNS Record Management — Manage all record types (A, AAAA, MX, TXT, CNAME, NS) within zones using vanity nameservers.
• DNS Analytics — View query statistics for zones using vanity nameservers. Analytics are unaffected by nameserver branding.

13. Updates and Behavior Changes

• Vanity nameservers were introduced as an Elite-exclusive feature to support white-label DNS hosting and enterprise branding requirements.
• The glue record verification mechanism was added to prevent configuration of invalid or unreachable nameserver hostnames.
• Automatic zone reversion on configuration deletion was implemented to prevent zones from referencing non-existent nameservers after removal.