Your domain name is the foundation of your entire online presence. Check whether its DNS delegation chain stays entirely within EU jurisdiction — from your TLD down to every nameserver in the chain.
Your domain name is the foundation of your online identity. It is your website, your email, your brand, your reputation. Every service you build, every customer who trusts you, every link that points to you — all of it depends on a single domain name. If a foreign government can seize it, they control your entire digital existence. Choosing a sovereign TLD is not a technical detail — it is a strategic decision.
Generic TLDs like .com, .net, and .org are operated by US-based registries and fall under US legal jurisdiction. This means US courts, law enforcement, and executive orders can compel the seizure or suspension of any domain under these TLDs — regardless of where the domain owner is located.
Country-code TLDs (ccTLDs) like .fr, .de, .eu, or .nl are governed by registries operating under EU or member state law. A US subpoena or executive order has no direct legal authority over these domains. Seizure requires going through local courts and EU legal processes.
Having a .eu domain is not enough. If your nameservers are hosted under a .com domain, that nameserver's domain can still be seized, effectively taking your domain offline. True sovereignty requires the entire delegation chain to stay within EU jurisdiction.
We check that the domain itself uses an EU or EU member state ccTLD (.eu, .fr, .de, .nl, .it, .es, .pl, and all 27 member states). We also flag EEA/EFTA TLDs like .no, .is, .ch which are under European but not EU law.
We resolve the domain's NS records and verify that each nameserver hostname uses a sovereign TLD. We also resolve the IP addresses of each nameserver to check whether they are physically hosted within the EU.
Like a real DNS resolver, we follow the delegation chain recursively. If your NS is ns1.hosting.fr, we check what nameservers hosting.fr uses, and so on — until we reach a glue record (when a nameserver is hosted under the domain it serves — the ideal terminal point). Every link in the chain must stay within EU jurisdiction.
We report whether the domain uses DNSSEC (cryptographic protection against DNS spoofing) and check the physical hosting location of each nameserver. A nameserver with an EU domain but a US IP address is legally sovereign but operationally exposed.
The US government has repeatedly seized
.comdomains of foreign businesses without prior notice, including online gambling sites, file-sharing services, and entities targeted by sanctions — all by leveraging jurisdiction over Verisign, the .com registry operator based in Virginia, USA.
US authorities have seized domains registered to entities in Spain, Canada, the UK, and other countries. The legal mechanism is straightforward: because Verisign (for .com/.net) and Public Interest Registry (for .org) are US entities, any domain under these TLDs is reachable by US law enforcement.
EU ccTLDs operate under a fundamentally different legal framework. AFNIC (.fr), DENIC (.de), EURid (.eu), and other EU registries answer to their respective national or EU-level regulators — not to US courts.
These are not hypothetical scenarios. US control over gTLDs has concrete, documented consequences for individuals and entire nations.
US comprehensive sanctions don't just target governments — they prevent ordinary citizens and businesses from registering any gTLD domain. The block operates at the registry level: Verisign (.com, .net) and other US-based registries are legally required to refuse domain registrations linked to sanctioned countries under OFAC regulations.
Iran (90 million people): entrepreneurs, universities, NGOs — none can register a .com. Even a European registrar cannot do it on their behalf, because Verisign itself will reject the request. Their only option is .ir.
Cuba (11 million people): under a US embargo since 1962, Cuban businesses and institutions are locked out of gTLDs entirely. A Cuban hospital or university cannot have a .org website. They are limited to .cu.
Syria (22 million people): the same OFAC comprehensive sanctions apply. Syrian civil society organizations, media outlets, and businesses cannot register gTLD domains — even those working on humanitarian aid or independent journalism are blocked at the registry level.
In all three cases, the digital identity of entire nations is constrained by the domestic policy of a single foreign country. The mechanism is not political pressure or diplomatic negotiation — it is a technical lock enforced at the infrastructure level through US control over gTLD registries.
In August 2025, the US Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions on Nicolas Guillou, a French judge serving on the International Criminal Court. His name was added to the SDN (Specially Designated Nationals) list alongside Al-Qaeda members, drug cartel leaders, and Vladimir Putin.
The sanctions were imposed because Guillou was part of the pre-trial panel that approved arrest warrants against Israeli officials. As a consequence, no US entity may provide him services — this includes domain registries. Guillou cannot register a .com, .net, or .org domain. He was effectively blacklisted from the global banking system.
A sitting European judge, exercising his legal mandate under international law, is denied basic digital services because of the unilateral decision of a foreign government. This is what gTLD dependence looks like in practice.
In 2012, the US Department of Justice seized bodog.com, a Canadian-operated online gambling site, by ordering Verisign to redirect the domain. The company had no US operations — but because .com is administered by a Virginia-based company, that was enough.
The same mechanism was used to seize Megaupload.com (a Hong Kong-based company), dozens of sports streaming domains operated from Spain and other EU countries, and domain names belonging to entities later found to be acting legally in their own jurisdictions. In several cases, domains were held for over a year before being returned, with no compensation for the disruption.
A .fr, .de, or .eu domain cannot be seized this way. The legal process must go through the relevant EU or member state courts, where the domain owner has the right to defend themselves under local law.
In November 2022, the US Department of Justice seized over 200 domain names belonging to Z-Library, the world's largest shadow library. The operation targeted .org, .com, and .net domains simultaneously, redirecting them all to a DOJ seizure banner.
The site's operators were Russian nationals. The servers were hosted outside the US. The users were overwhelmingly non-American. But because every gTLD domain is technically under US registry control, the DOJ could seize them all with a single coordinated action — no foreign court involvement required.
Regardless of one's opinion on the legality of the service, this case demonstrates the sheer scale at which the US can exercise domain seizure power over gTLDs: hundreds of domains, across multiple TLDs, in a single day.
In April 2018, the FBI seized backpage.com, one of the largest classified advertising platforms in the US. The domain was redirected to a federal seizure notice, instantly making the entire platform — including all its content, user accounts, and business operations — completely inaccessible.
The seizure happened before any trial or conviction. The mechanism was the same as always: a federal court order directed at the domain's registry. The platform's entire digital existence was erased in a single action, demonstrating how a domain name is not just an address — it is a single point of failure that, when seized, takes everything with it.
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS responses. It ensures that the answers your browser receives have not been tampered with in transit — protecting against cache poisoning and man-in-the-middle attacks.
However, DNSSEC does not protect against domain seizures. When a registry like Verisign is ordered to redirect a .com domain, the new (malicious) DNS records are signed with valid DNSSEC keys. The response is cryptographically authentic — it is just not pointing where the owner intended.
We report DNSSEC status in our checker because it is an important security layer. If your nameserver chain has a weak link (e.g. a .com intermediate), active DNSSEC on the parent domain provides a degree of mitigation — but it is not a substitute for full sovereignty. The only real protection is ensuring every link in the chain stays under EU jurisdiction.
Not all domain extensions are equal. The jurisdiction of the registry operator determines who has ultimate control over your domain.
| TLD | Registry operator | Jurisdiction | US seizure risk |
|---|---|---|---|
.com |
Verisign Inc. | United States (Virginia) | High |
.net |
Verisign Inc. | United States (Virginia) | High |
.org |
Public Interest Registry | United States (Virginia) | High |
.io |
Identity Digital (fka Donuts) | United States (ICANN contract) | High |
.co |
.CO Internet S.A.S / Neustar | United States (ICANN contract) | High |
.ai |
Government of Anguilla / offshore | British Overseas Territory | Medium |
.app .dev |
Google Registry (Charleston Road) | United States (California) | High |
.eu |
EURid vzw | European Union (Belgium) | None |
.fr |
AFNIC | France | None |
.de |
DENIC eG | Germany | None |
.nl |
SIDN | Netherlands | None |
.it |
IIT-CNR | Italy | None |
.es |
Red.es | Spain | None |
.pl |
NASK | Poland | None |
.be |
DNS Belgium | Belgium | None |
.se |
The Internet Foundation in Sweden | Sweden | None |
.no |
Norid AS | Norway (EEA) | None |
.ch |
SWITCH | Switzerland (EFTA) | None |
.is |
ISNIC | Iceland (EEA) | None |
Practical steps to achieve full DNS sovereignty for your domain.
Register your primary domain under a European ccTLD: .eu, .fr, .de, .nl, or any EU member state TLD. This is the single most important step. If you currently use a .com, keep it as a redirect but make the ccTLD your canonical domain. Your emails, your links, your brand — everything should point to the sovereign domain.
Your nameservers must also be under EU jurisdiction. We recommend Bunny DNS, a European DNS provider operated by BunnyWay d.o.o. in Slovenia. Bunny DNS supports glue records, which means your nameservers can be hosted directly under your own domain (e.g. ns1.yourdomain.eu and ns2.yourdomain.eu). Glue records are the ideal terminal point in a delegation chain — the chain ends at your own domain, with no external dependency.
A glue record tells the parent zone the IP addresses of your nameservers directly, without requiring a separate DNS lookup. When your nameservers are ns1.yourdomain.eu and ns2.yourdomain.eu, the .eu zone includes their IPs inline. This creates a self-contained delegation: no intermediate domain in the chain, no external dependency, no foreign jurisdiction involved. This is the gold standard for DNS sovereignty.
While DNSSEC does not protect against registry-level seizures, it adds an essential layer of cryptographic integrity. Enable it with your registrar and DNS provider. It ensures that DNS responses cannot be tampered with in transit — complementing your sovereignty with security.
Once everything is in place, run your domain through our checker. We will verify the entire delegation chain end-to-end: TLD jurisdiction, nameserver TLDs, glue records, chain resolution, DNSSEC status, and IP geolocation. The goal is a fully green result with no foreign dependencies anywhere in the chain.
No. The registrar is the company you pay for the domain, but the registry is the entity that controls the TLD itself. For .com, the registry is Verisign, a US corporation in Virginia. Your European registrar is just a reseller — they have no power to override a seizure order directed at Verisign. When the US government orders Verisign to redirect a domain, it happens regardless of which registrar manages it.
No. These are often marketed as "tech-friendly" TLDs, but they are not under EU jurisdiction:
.io is the ccTLD for the British Indian Ocean Territory and is now managed by Identity Digital (formerly Donuts), a US company under ICANN contract..co is Colombia's ccTLD but is commercially operated by Neustar (US) under contract with .CO Internet S.A.S..ai is Anguilla's ccTLD, a British Overseas Territory. It is not under EU or US law directly, but it has no EU legal protections either.None of these provide the legal guarantees of an EU ccTLD.
Not necessarily. A .eu domain puts your TLD under EU jurisdiction (EURid, Belgium), which is correct. But if your nameservers are something like ns1.provider.com, then provider.com is under US jurisdiction. If the US seizes or disrupts provider.com, your nameservers stop resolving and your domain effectively goes offline. This is why we check the entire delegation chain, not just the TLD.
City TLDs and other new gTLDs (like .paris, .berlin, .amsterdam, .shop, .tech) are not the same as ccTLDs. They are operated under contract with ICANN, the US-based organization that governs the domain name system. While the backend registry operator may be European (e.g. AFNIC operates .paris), the TLD itself exists under the ICANN framework. This means ICANN policies, which are governed by California law, apply. They do not offer the same legal sovereignty as a true EU ccTLD.
A glue record is a DNS record that provides the IP address of a nameserver directly in the parent zone, without requiring a separate lookup. They are required when a nameserver is hosted under the same domain it serves (e.g. ns1.example.eu serving example.eu).
For sovereignty, glue records are the ideal configuration. They mean the delegation chain terminates at your own domain: there is no intermediate third-party domain that could be seized or disrupted. The parent zone (.eu) directly contains the IPs of your nameservers. No external dependency, no foreign jurisdiction in the chain.
No. DNSSEC protects against tampering of DNS responses in transit (cache poisoning, man-in-the-middle). But when a registry is ordered to change the DNS records of a domain, the new records are signed with valid DNSSEC keys. The seizure is "authentic" from a cryptographic standpoint. DNSSEC is an important security layer, but it is not a sovereignty layer.
Not directly. AFNIC (.fr) and DENIC (.de) are governed by French and German law respectively. A US court order has no legal authority over these registries. To take action against a .fr domain, US authorities would need to go through French courts via mutual legal assistance treaties (MLATs) — a process where the domain owner has the right to be heard and to defend themselves. This is a fundamentally different level of protection compared to a .com seizure, which can happen unilaterally in hours.
These are US-based DNS providers. Even if you use a .eu domain, hosting your DNS on Cloudflare means your nameservers are typically under domains like *.ns.cloudflare.com — a .com domain under US jurisdiction. The same applies to AWS Route 53 (*.awsdns-*.com) and Google Cloud DNS (*.googledomains.com). For full sovereignty, you need a DNS provider whose nameserver domains are also under EU TLDs, or you need to use glue records under your own EU domain.
Looking for European alternatives to US-controlled services? From hosting to email, DNS to cloud — sovereign options exist.
Explore European alternatives