Product Guide
DNS Providers

DNS Providers

DNS providers let OEC.sh manage domain records on your behalf. Instead of manually creating A records every time you add a domain to an environment, the platform does it automatically through your DNS provider's API.

This is especially useful if you manage multiple environments across multiple domains. Connect once, and every new domain assignment is handled in seconds.

DNS management requires a Pro plan or higher. Pro plans support up to 10 DNS zones. Agency plans have no zone limit.

Supported Providers

ProviderCredentials Required
CloudflareAPI Token
AWS Route 53Access Key ID, Secret Access Key, Region
Azure DNSSubscription ID, Resource Group, Tenant ID, Client ID, Client Secret
Google Cloud DNSProject ID, Service Account JSON
DigitalOceanAPI Token
Hetzner DNSDNS Console API Token

Each provider works the same way once connected: OEC.sh reads your DNS zones, lets you pick which ones to manage, and creates or deletes records as you add or remove domains from environments.

Quick Setup from Cloud Accounts

If you have already connected a cloud account (AWS, Cloudflare, DigitalOcean, Azure, or Google), you can set up DNS in a few clicks.

  1. Go to Settings > DNS Providers tab
  2. Look for Quick Setup from Cloud Accounts
  3. Click the cloud account you want to use
  4. Select a zone (domain) from the list pulled from your account
  5. Optionally enable Wildcard SSL (see Wildcard SSL below)
  6. If enabling wildcard SSL, enter a subdomain prefix (e.g., apps)
  7. Click Create

That is it. The DNS provider is ready and you can start assigning domains to environments.

Quick Setup reuses the credentials from your cloud account. You do not need to enter API tokens again.

Manual Setup

For providers not connected as cloud accounts, or when you want to use different credentials for DNS than for compute:

  1. Go to Settings > DNS Providers tab
  2. Click Add Provider
  3. Select your provider from the dropdown
  4. Enter the credentials listed in the table above
  5. Click Verify & Fetch Zones -- the platform tests the credentials and retrieves your DNS zones
  6. If verification succeeds, click Create Configuration

If verification fails, double-check your credentials. The most common issue is using a token with insufficient permissions (the token needs read and write access to DNS records).

Provider Credentials Detail

Cloudflare

Create an API token at dash.cloudflare.com/profile/api-tokens (opens in a new tab). The token needs Zone:DNS:Edit and Zone:Zone:Read permissions.

You can scope the token to specific zones or give it access to all zones in your account.

AWS Route 53

Use an IAM user or role with the AmazonRoute53FullAccess policy (or a scoped-down policy that allows route53:ChangeResourceRecordSets and route53:ListHostedZones).

You need the Access Key ID, Secret Access Key, and the AWS region where your Route 53 hosted zones are managed.

Azure DNS

You need five values:

  • Subscription ID -- The Azure subscription containing your DNS zones
  • Resource Group -- The resource group where the DNS zones live
  • Tenant ID -- Your Azure AD tenant
  • Client ID -- The application (service principal) ID
  • Client Secret -- The application's secret

The service principal needs the DNS Zone Contributor role on the resource group.

Google Cloud DNS

Create a service account in your Google Cloud project with the DNS Administrator role. Download the service account key as JSON and paste it into the credentials field.

DigitalOcean

Generate a Personal Access Token at cloud.digitalocean.com/account/api/tokens (opens in a new tab) with read and write scope.

Hetzner DNS

⚠️

Hetzner has two separate services with separate tokens. Hetzner Cloud (for servers, load balancers, etc.) and Hetzner DNS Console (for domain management) are completely independent. A Hetzner Cloud API token will not work for DNS.

Get your DNS Console token from dns.hetzner.com (opens in a new tab) under API tokens. This is a different website and a different authentication system from the Hetzner Cloud Console at console.hetzner.cloud.

If you connected a Hetzner cloud account for server provisioning, that connection cannot be reused for DNS. You must add the DNS Console token separately.

Wildcard SSL

Wildcard SSL gives you a single certificate that covers all subdomains under a domain. Instead of issuing a new certificate every time you add a domain to an environment, the wildcard certificate handles them all instantly.

Setting Up Wildcard SSL

During DNS provider creation:

  1. Enable the Wildcard SSL checkbox
  2. Select the zone you want the wildcard to cover
  3. Enter a subdomain prefix (e.g., apps)
  4. The certificate will cover *.apps.your-domain.com

For an existing DNS provider:

  1. Go to Settings > DNS Providers
  2. Find your provider in the list
  3. Click Enable Wildcard SSL
  4. Select the zone and enter the subdomain prefix
  5. Click Save
  6. Click Request SSL to issue the certificate

Certificate issuance typically takes 1-2 minutes. The status indicators show:

StatusMeaning
SSL ActiveCertificate issued and working
Issuing...Certificate generation in progress
Request SSLClick to start issuance

Why Use Wildcard SSL

Without wildcard SSL, every new domain triggers a separate certificate request, which takes a minute or two and has rate limits. With a wildcard, new subdomains are covered immediately by the existing certificate.

Wildcard SSL is most useful when you have many environments under the same base domain -- for example, client1.apps.youragency.com, client2.apps.youragency.com, and so on.

Using DNS Providers with Environments

Once a DNS provider is connected, you can assign managed domains to environments:

  1. Go to your Project > Environment > Domains section
  2. Click Add Domain
  3. Select your DNS provider
  4. Pick a zone from the dropdown
  5. Enter a subdomain (or leave empty for the root domain)
  6. Choose options:
    • Automatically create DNS records -- recommended, creates the A record for you
    • Proxy through Cloudflare -- routes traffic through Cloudflare (Cloudflare only)
    • Set as primary domain -- makes this the main address for the environment
  7. Click Save

The DNS record is created within seconds. Once DNS propagates (usually a few minutes), the environment is accessible at the new domain.

When you remove a domain from an environment, the DNS record is automatically deleted from your provider.

Troubleshooting

Provider verification fails

  • Confirm the credentials have the right permissions (read and write access to DNS)
  • For Hetzner, make sure you are using the DNS Console token, not a Cloud token
  • For Google Cloud, verify the service account JSON is valid and the account has DNS Administrator role

Zones are not showing up

  • The token might be scoped to specific zones and the one you want is not included
  • For AWS, check that the hosted zone is in the region you specified
  • Try clicking Verify & Fetch Zones again

Wildcard SSL is not issuing

  • Wildcard certificates use DNS-01 validation, which requires the platform to create a TXT record in your zone
  • Make sure the DNS provider credentials allow creating TXT records
  • Check the SSL status on the DNS provider card for error messages

Domain added but not resolving

  • DNS propagation can take 5-30 minutes, sometimes longer
  • Verify the A record was created by checking your DNS provider's dashboard
  • Use dnschecker.org (opens in a new tab) to check propagation globally
CloudflareOverview