Most operators focus their attention on the cloaker and Safe Pages but ignore what lies beneath: the DNS infrastructure and domain configuration. This is the kind of neglect that doesn’t cause immediate problems but limits speed, exposes linkable patterns between accounts, and creates failure points that only surface when the operation scales.
In 2026, DNS and domain configuration has become an integral part of the cloaking stack. Ad platforms verify DNS records, analyze domain infrastructure, and cross-reference hosting data between accounts. A poorly configured DNS adds latency to the redirect. A domain with records pointing to the same server as all your other accounts links operations that should be independent.
DNS and cloaking need to work together so that filtering is fast, domains appear independent, and the infrastructure doesn’t become the weakest link in the stack.
Why DNS configuration impacts cloaking
DNS (Domain Name System) is the system that translates the domain name (yourdomain.com) into the server’s IP address. When a visitor clicks on the ad and accesses the URL, the browser queries DNS to find out which server to send the request to. This query happens before any cloaking filter is activated.
DNS latency adds to cloaker latency. If DNS resolution takes 100ms and the cloaker takes 50ms, the total latency before the page starts loading is 150ms. On mobile traffic, this sum can mean the difference between a conversion and a bounce.
DNS records reveal infrastructure. The domain’s A, CNAME, and NS records are public. Anyone (including reviewers and detection tools) can look up which IP the domain points to. If multiple domains from different accounts point to the same IP, linking them is trivial.
DNS propagation affects availability. When you change a domain’s DNS (server switch, CDN switch), propagation can take anywhere from minutes to 48 hours depending on the configured TTL. During propagation, part of the traffic goes to the old server and part to the new one. If the old server doesn’t have the cloaker configured, traffic is left unprotected.
DNS as a single point of failure. If the DNS provider goes down, the entire domain stops working. No requests reach the server, the cloaker processes zero clicks, and campaigns get no delivery.
How to configure DNS for cloaking in 2026
Choose a DNS provider with high availability
The DNS provider needs to have 99.99% uptime or higher. Recommended providers for paid traffic operations:
Cloudflare: The most widely used in the market. Free DNS with global anycast (resolution at the server closest to the visitor), automatic SSL, and DDoS protection. Cloudflare’s DNS resolution latency is consistently below 15ms in most GEOs.
AWS Route 53: Ideal for operations already using AWS infrastructure. Supports geolocation (different DNS responses per GEO), automatic health checks, and failover.
Google Cloud DNS: A solid alternative with global anycast and high availability. Fewer features than Route 53 for conditional routing.
Avoid registrar DNS. The default DNS from registrars like GoDaddy, Namecheap, and Hostgator is slow and has low availability. Always migrate DNS to a dedicated provider.
Configure the appropriate TTL
TTL (Time to Live) defines how long DNS servers around the world keep the record cached before querying again.
Low TTL (60 to 300 seconds): allows quick server changes. If you need to switch the destination IP (server migration, CDN switch), propagation is nearly instant. The downside is that more DNS queries occur, which can add microseconds of latency.
High TTL (3600 to 86400 seconds): reduces DNS queries and improves performance but makes quick changes difficult. A server switch with a 24-hour TTL can leave part of the traffic pointing to the old destination for up to a day.
Recommendation for cloaking: TTL of 300 seconds (5 minutes) as the default. It offers good performance while allowing reasonably fast changes. Reduce to 60 seconds before any planned migration.
Isolate DNS per ad account
Each domain associated with a separate ad account should use DNS configuration that doesn’t link to the others:
Different IPs per domain: Each domain should point to a different IP. Domains sharing the same IP can be linked through any DNS lookup. If the cloaker uses a shared IP, configure the cloaking provider to assign dedicated IPs per domain.
Diversified nameservers: When possible, use different nameservers for domains on different accounts. All domains using ns1.cloudflare.com and ns2.cloudflare.com isn’t a critical issue (Cloudflare is used by millions of sites), but diversifying between Cloudflare, Route 53, and other providers adds an extra layer of separation.
Different registrars: For maximum isolation, register domains for different accounts at different registrars. Domains registered at the same registrar under the same administrative account can be linked.
Configure SSL correctly
SSL active on all domains. No exceptions. Domains without SSL trigger a security warning in the browser, which crawlers detect and flag.
Separate certificates per domain: Avoid wildcard or SAN certificates that cover multiple domains in a single certificate. A shared certificate technically links the domains.
Auto-renewal active: Set up automatic SSL renewal. An expired certificate takes down the Safe Page and exposes the operation during the downtime period.
Advanced configuration: DNS and CDN for cloaking
For multi-GEO operations, combining DNS with a CDN (Content Delivery Network) can significantly reduce latency:
CDN with points of presence in active GEOs. The CDN stores the Safe Page on globally distributed servers. When a reviewer or visitor accesses it, the content is delivered from the nearest server. This reduces Safe Page latency to under 50ms in any GEO.
GEO-based DNS routing. Providers like Route 53 allow configuring different DNS responses by geolocation. Traffic from Brazil can be directed to a server in South America, European traffic to a European server. This optimizes both the Safe Page and the cloaker’s processing.
Smart caching of the Safe Page. Configure the CDN to cache the Safe Page with a 1-hour TTL. Content is served from cache on most accesses, reducing the load on the origin server and improving response speed.
Cache bypass for the Money Page. The Money Page should not be cached on the CDN. Every access to the Money Page needs to pass through the cloaker for filtering to work. Configure cache rules that exclude the Money Page from caching.
DNS mistakes that compromise cloaking
All domains pointing to the same IP. The most obvious and easiest-to-avoid linking method. Each domain needs a dedicated IP.
- Registrar DNS with high latency. Default DNS from cheap registrars can add 50 to 200ms of unnecessary latency on every request. Migrate to Cloudflare or an equivalent provider.
- TTL too high during migration. Switching servers with a 24-hour TTL can leave part of the traffic unprotected for up to a day. Reduce the TTL to 60 seconds at least 24 hours before any migration.
- Expired SSL. An expired SSL certificate takes down the entire operation on the affected domain. Renewal automation is mandatory.
- Legacy DNS records. A, CNAME, and TXT records pointing to old servers, deactivated CDNs, or services no longer in use create noise in the domain’s DNS profile. Clean up obsolete records periodically.
The White Rabbit: DNS infrastructure optimized for cloaking
The White Rabbit (TWR) operates with distributed infrastructure that minimizes the impact of DNS on total latency.
Global points of presence with anycast. TWR’s filtering runs on globally distributed servers with anycast routing. The DNS query directs traffic to the nearest point of presence, keeping total latency (DNS + filtering + redirect) below 50ms.
Dedicated IPs per domain. TWR assigns different IPs to each configured domain, eliminating the risk of linking through shared DNS records.
Automatically managed SSL. TWR generates and renews SSL certificates automatically for each domain, with no need for manual configuration or risk of expiration.
Compatibility with the operator’s CDN. TWR works alongside CDNs like Cloudflare, allowing the operator to maintain their own caching infrastructure while filtering happens at the cloaker layer.
DNS configuration guide for each domain. TWR’s dashboard provides specific DNS configuration instructions for each domain, including the necessary A and CNAME records, making setup easy even for operators without technical DNS experience.
Starting at US$97/month with 20,000 clicks included and a money-back guarantee if it doesn’t outperform your current solution.
The invisible infrastructure is the one that holds everything up. Poorly configured DNS is the gap nobody looks for
DNS and domain configuration aren’t topics that generate excitement in media buying meetings. But they are the invisible infrastructure on which the entire cloaking operation depends. Latency, account linking, availability, and security all pass through DNS before reaching the cloaker.
A fast, isolated, and well-configured DNS is the difference between a stack that scales without bottlenecks and a stack that loses traffic to latency, links accounts through shared IPs, and goes down entirely when an SSL certificate expires.
Take care of the foundation. Everything on top only works if what’s underneath is solid.
Talk to our team at TWR and set up your domain infrastructure for maximum speed, security, and isolation.
