Bunny DNS Goes Free: 200B Queries, No Bill, $1 Minimum

Bunny.net posted a short note on 24 June 2026 — written by Dejan Grofelnik Pelzel and Joe Connolly — announcing that Bunny DNS no longer charges for DNS queries. The service handles roughly 200 billion queries per month across 300,000+ domains and powers 1.5 million websites over the same anycast network Bunny documents as 119+ points of presence across 77+ countries in the CDN regions docs. Until yesterday, customers paid per query on top of a free tier; today, queries are unmetered for everyone, with a 500-domain ceiling per account and the standard bunny.net $1/month minimum that applies across the platform.

The headline is the price drop. The story is the onramp.

What Bunny actually shipped

A close read of the announcement (and the bunny.net DNS docs) shows three structural changes worth pinning:

1. No usage fees, anywhere. The free tier of 500 domains per account is the new ceiling, not the floor. The old free tier (1 million queries per month, per the docs) is gone — replaced by unmetered queries inside the 500-domain limit. Past that ceiling you add domains; you don't add bills.
2. A real feature set, not a teaser. DNSSEC ships with NSEC Black Lies (a privacy-preserving variant that resists zone-walking), HTTP/SVCB and TLSA record types, and CDS/CDNSKEY for automated DNSSEC key rotation. IPv4 and IPv6 are dual-stack by default. Smart records (geo + latency routing) and health monitoring are included; the announcement is explicit that they are "not hidden behind enterprise plans."
3. 1-Click integration with the rest of Bunny. A new auto-zone-scan reconstructs your records from common names; from there, 1-Click Acceleration spins up a CDN Pull Zone behind the records, and 1-Click Security turns on Bunny Shield (DDoS filtering, exploit blocking at the edge). DNS, CDN, and WAF are now unified in one control plane.

The first two are what a free DNS service is supposed to look like. The third is what Bunny actually wants you to notice.

Five angles that explain why this matters

1. The free tier is the front door — and the upgrade path is the product

Bunny.net is a privately held European CDN that took a single small funding round ($6M, 2022, per an HN comment by khurs). It is not in a position to subsidize 200 billion queries per month out of altruism. The economics work because DNS is the front of the funnel: every Bunny DNS customer is one API call away from a Pull Zone, one click away from Bunny Shield, and one billing cycle away from CDN egress. The $1/month minimum is the moat — it converts the "free DNS" headline into a Bunny-platform account you keep paying as your traffic grows. The query fee that just disappeared was the friction preventing the conversion, not the revenue source.

Read the announcement as a sequence: import zone → 1-Click Acceleration → CDN live → 1-Click Security → Shield active. For an existing customer, the play is to migrate DNS, not the CDN — DNS migrations are a 30-minute change with a TTL wait, CDN migrations are not. For an existing Cloudflare user, the play is the same but framed as an "additional nameserver" or "secondary" rather than a full migration. The conversion path is real but low-risk, which is exactly the profile Bunny needs. Same shape as Cloudflare's original 2014 free-DNS push — but Bunny is an EU bootstrapped competitor that needs the funnel to be self-funding, which is why the $1 minimum is the part Cloudflare never had to add.

2. The price drop closes the gap with Cloudflare — and Hetzner

Until today, the cheapest serious authoritative DNS service for a hobby project was either Cloudflare (free, gated by Cloudflare proxy semantics) or Hetzner DNS (free, no proxy, EU-only PoPs). Bunny's old free tier was 1M queries/month; its paid tier was $0.10–$0.40 per million above that. Removing that floor means Bunny DNS is now a genuine third option in a Cloudflare-vs-everyone-else two-horse race that has run for ten years. The EU angle is doing real work — Bunny operates from EU jurisdictions (Slovenia, per their company filings), and the HN comment by Lucasoato is representative of a non-trivial user segment that wants a European alternative to Cloudflare "in the light of recent developments in EU-US geopolitics." That is a procurement officer's checklist, not a marginal buyer profile.

3. NSEC Black Lies is the technical story

Buried three paragraphs down in the announcement: Bunny DNS ships DNSSEC with NSEC Black Lies, a privacy-preserving variant of the standard NSEC chain-of-denial mechanism. Standard DNSSEC authenticates your zone but, in doing so, publishes the list of every name that does not exist — which makes it trivially easy for an attacker to enumerate your entire domain structure (a "zone walk"). NSEC Black Lies publishes plausible-looking non-existence records instead, so the chain is still verifiable but the zone is not walkable. The standard critique of DNSSEC has been the privacy tax; this is the rare DNSSEC improvement that gives you the security without paying it, and it is good to see a CDN ship it as a default rather than an enterprise add-on. Cloudflare's own blog post on NSEC Black Lies (October 2024) is a good reference.

4. The zone-file import/export bugs are the real risk

A long-running Bunny DNS user, sc6782682, warns that "the import from a zone file can drop records silently, and the export will fail to export some of your records... their import / export has issues (it also doesn't include SOA or NS records)." For a casual user, this is annoying; for anyone running a production zone with hundreds of records, it is a deal-breaker. The fix is operational: keep a BIND-format zone file as the source of truth and diff it against the imported zone before cutting over. Bunny is shipping NSEC Black Lies and SVCB records while leaving the basic zone-file round-trip fragile — reasonable evidence that the product team is shipping features faster than the operations team can keep the data plane honest.

5. The API keys are not scoped — and that is a structural gap

A second customer concern from bcye: "I wish there API Keys were scoped however so setting up continuous deployments doesn't risk your, say, MX records getting changed if the key is leaked." (Original spelling preserved.) Co-author joe-at-bunny replied that scoped keys are in discovery with no public ETA. For anyone running DNS-as-code from CI, this is the structural reason to keep your Bunny API key in a vault and rotate frequently — AWS Route53 supports IAM scoping to specific hosted zones and record types; Bunny does not yet. The vulnerability window for a leaked Bunny API key today is "anything DNS can do," not "the records I scoped to this deploy."

The original take

Free DNS in 2026 is a platform story. Bunny.net is using the $1/month minimum as a pricing funnel into a CDN + Shield bundle that competes head-on with Cloudflare in Europe, and the technical details (NSEC Black Lies, SVCB, IPv6-only origins) are the evidence of platform maturity, not the subject of the announcement. The "free" is the hook; the platform is the business. Cloudflare has been winning on technical merit; Bunny is trying to win on price-plus-jurisdiction.

The pragmatic position, if you are a developer running a personal or small-business site today: try Bunny DNS as a secondary nameserver before you migrate. The import/export bugs are real but not catastrophic if you keep your BIND file as the source of truth. The $1/month minimum is harmless if you are already on Bunny CDN; it is a friction cost if you are not. The bigger structural story — that Bunny is now a credible third option to Cloudflare in the EU — is the part to watch over the next two quarters.

What this means for you

• If you are a hobby developer running a static site or a small SaaS: Bunny DNS is now strictly cheaper than Cloudflare for the same query volume, if you do not need Cloudflare's Workers / R2 / D1 platform. Try it as a secondary first.
• If you are an EU company with procurement concerns about US-jurisdiction infrastructure: this is the DNS migration you have been waiting for. Plan a 30-day dual-nameserver test before cutting over.
• If you are a platform engineer running DNS-as-code from CI: keep your Bunny API key in a vault, scope what you can at the deploy layer (record-type filters), and assume the key has full DNS write authority until Bunny ships scoped keys.

What to do this week

# Sign up: bunny.net/dns. $1/month minimum applies once you add other services.

# Add Bunny as a SECONDARY nameserver alongside your current provider first.
# Route53 primary + Bunny secondary:
ns1.bunny.net  (91.200.176.1)
ns2.bunny.net  (91.200.176.2)

# Diff your zone file against Bunny's import. Look for missing SOA/NS or
# record types the importer may not understand (TLSA, SVCB, CDS, CDNSKEY).

# Swap to Bunny PRIMARY once the diff is clean. Wait one full TTL before
# removing the old provider.

# Enable DNSSEC (NSEC Black Lies is the default) and publish a DS at your
# registrar. Verify with: dig +short DS <zone> && delv <zone>

Disclosure

This post was drafted by a human editor using AI assistance for trend-scout (HN/dev.to front-page ranking), primary-source extraction (the bunny.net blog post and DNS docs, fetched with curl --compressed), and light copy-editing. All factual claims — 1.5M+ websites, 300k+ DNS domains, ~200B monthly queries, the 500-domain free ceiling, the $1/month minimum, NSEC Black Lies, the DNSSEC/SVCB/TLSA record types, the import/export bug report, the API-key scoping gap — are traceable to the primary sources cited below. The 119+ PoPs across 77+ countries claim is sourced from the Bunny CDN regions docs, not the announcement itself (the announcement does not state a network footprint). The quoted HN comments are verbatim from the HN thread on 24 June 2026; the cited item IDs were verified against the Algolia API. No quoted material has been paraphrased or synthesized. The blog's editorial position (the "platform, not product" framing, the EU-vs-Cloudflare comparison, the "free is the onramp" take) is the author's.

Sources

• Bunny.net blog: "We're making Bunny DNS free" — 24 June 2026, authors Dejan Grofelnik Pelzel and Joe Connolly — primary source for all facts about the announcement (1.5M+ websites, 300k+ DNS domains, ~200B monthly queries, 500-domain free ceiling, $1/month minimum, NSEC Black Lies, SVCB/TLSA/CDS/CDNSKEY record types, 1-Click Acceleration/Security integration).
• Bunny CDN regions docs (docs.bunny.net/cdn/regions) — source for the 119+ points of presence across 77+ countries network footprint claim. The DNS service rides on the same anycast network as the CDN; the number is not stated in the announcement itself.
• Bunny DNS documentation (docs.bunny.net/dns) — corroborates the dual-stack anycast network, smart records, scriptable DNS, and the IPv6-only origin support that Joe Connolly confirmed shipped "just last week" in his HN reply.
• HN thread: "We're making Bunny DNS free" (story id 48657030) — 465 points, 161 comments as of 24 June 2026 evening. Quoted comments: sc6782682 on zone-file import/export bugs; bcye on API-key scoping; Havoc on the $1/month minimum; Lucasoato on the EU-vs-Cloudflare procurement argument; khurs on Bunny's 2022 funding round; farfatched on the caching trade-off for anycast authoritative DNS.
• Cloudflare blog: "Black Lies" — October 2024, reference for NSEC Black Lies — context for the DNSSEC privacy trade-off Bunny is shipping a default solution to.
• Related internal coverage: the 10,000-GitHub-trojan-repos post on why authoritative, signed DNS is the right answer to supply-chain attacks; the Miasma worm on Azure post on why DNS-as-control-plane is also an attack surface; the Apertus fully-open-matters post on why EU-jurisdiction open infrastructure is not just a procurement preference.