fairlane.systems

DNS / CDN / WAF / TOOL COMPARISON

DNS, CDN and WAF compared: Cloudflare, Bunny.net, Fastly, AWS CloudFront, Akamai, Gcore, Infomaniak, DNSimple

Eight serious providers for DNS, CDN, and web application firewall. Seven decision axes, one concrete recommendation per use case. As of May 2026.

Researched & fact-checked by: · As of: 2026-05

What do DNS, CDN, and WAF do?

Three layers hold the public web together. First, DNS: the phone-book function between domain names and IP addresses. Latency, availability, and DNSSEC support of the provider decide how fast and securely a visitor finds the site. Second, CDN: a distributed cache network that delivers static and partly dynamic content from the edge server nearest to the visitor. Result: shorter time-to-first-byte, less load on the origin server, often built-in DDoS protection. Third, WAF: a protective layer that checks HTTP requests against a rule set before they reach the application server - SQL injection, XSS, bot floods are intercepted here.

In May 2026 there is a clear market leader (Cloudflare), two serious mid-market challengers (Bunny.net, Gcore), one hyperscaler player (AWS CloudFront), two enterprise veterans (Fastly, Akamai), and two DNS specialists (Infomaniak, DNSimple). Anyone hosting a Swiss fiduciary or law firm site has special requirements: data and log residency in CH or at least EU, usable DDoS protection even at the free tier, DNSSEC support, and a data processing agreement basis. The list of truly fitting providers gets noticeably shorter.

We operate several mandates productively behind Cloudflare, Bunny.net, and Infomaniak DNS - the experience from each set of failure modes feeds this comparison.

Why the choice matters

Four hard realities make the choice important. First: DDoS protection in May 2026 is no longer a question of whether but how. An unprotected law firm site with a client portal is an attractive target - even a moderate bot flood can knock it offline. Cloudflare has offered unlimited volumetric DDoS protection on the free tier for years, a lonely value in the industry. Bunny.net and Gcore have since caught up.

Second: data residency. A WAF inspects HTTP bodies, meaning potentially plain-text data from forms and client logins. Routing that through a US provider creates a third-country transfer problem. Cloudflare since 2023 has a Data Localization Suite mode in which inspection and logs stay in the EU - but at a surcharge. Bunny.net (Slovenia) and Gcore (Luxembourg) are EU origin and therefore EU-compliant by default. Infomaniak is the only pure Swiss solution - DNS only, no CDN/WAF.

Third: cost. Cloudflare-Free covers 95% of SME sites. Pro tier with better WAF rules from USD 25/month. Bunny.net charges per GB of traffic (USD 0.005-0.06) - for small sites with little traffic, cheaper than any Cloudflare tier. AWS CloudFront is pay-per-GB plus per million requests, can cost cents for a blog or four figures for a video platform. Akamai and Fastly are enterprise - entry-level four to five figures per month.

Fourth: WAF rule granularity. Cloudflare offers a managed-rules library plus a WAF custom editor with Wirefilter syntax since 2024, reaching close to real application security. Fastly and Akamai are also strong here, Bunny.net and Gcore have basic WAF modules, AWS CloudFront can connect via AWS WAF - more complex configuration, but deep AWS integration in return.

The eight providers in detail

Cloudflare (proprietary, Free + Pro + Business + Enterprise): the dominant provider. Over 330 edge locations worldwide (as of May 2026), DNS, CDN, WAF, DDoS protection, Workers (serverless), Pages (static hosting), R2 (S3-compatible storage), and Tunnel (zero trust). Free tier covers surprisingly much. Pro at USD 25/month adds better WAF rules and image optimisation. Data Localization Suite (surcharge) enables EU data residency. Our default choice for most mandates.

Bunny.net (proprietary, EU origin Slovenia): the growing challenger. Very cheap per GB (USD 0.005-0.06 by region, EU around USD 0.01). Own global network with 100+ POPs by now. Bunny Shield (WAF) available, Bunny DNS fast and simple. Bunny Storage as S3 alternative. May 2026 often the price-winner choice for smaller EU sites.

Fastly (proprietary, enterprise CDN): known for extremely fast cache invalidation (under 150 ms globally) and VCL-configurable edge logic. Very strong on e-commerce platforms with dynamic content. Pay-as-you-go price model from around USD 50/month plus per GB. Next-gen WAF via Signal Sciences acquisition is good. For SMEs more expensive than Cloudflare, but on performance-critical sites worth it.

AWS CloudFront (proprietary, pay-per-GB): hyperscaler CDN. Deep AWS integration (S3, Lambda@Edge, AWS WAF). 410+ POPs worldwide. Cost structure complex but transparent. WAF must be configured separately. Best choice when the origin is on AWS anyway - otherwise too complex for SME setups.

Akamai (proprietary, enterprise): oldest CDN provider (since 1998). Still large market share with enterprise mandates, banks, government bodies. Entry price four to five figures per month. Very good edge security (Bot Manager, Kona Site Defender). Strong on compliance topics. Usually unsuitable for SMEs, fitting for bank-grade requirements.

Gcore (proprietary, EU origin Luxembourg): like Bunny.net an EU-origin provider, but broader with own cloud platform (compute, storage, AI inference). 180+ POPs. Prices comparable to Bunny.net. WAF, DDoS protection, DNS. EU-GDPR-compliant out of the box.

Infomaniak DNS (proprietary, CH only): the Swiss hosting classic based in Geneva. Offers no classic CDN or WAF, but DNS from CH (several authoritative locations) with DNSSEC and very good latency within Switzerland. Perfect for pure Swiss-domestic sites with revDSG requirements and no global traffic.

DNSimple (proprietary, US): developer-focused DNS provider. Very cleanly designed API, domain registrar function built in, audit log. No CDN, no WAF. US-hosted, therefore limited for revDSG-strict Swiss mandates. Plans from USD 6/month for 10 domains.

Selection in six steps

  1. 01Estimate traffic volume: GB per month, page views, region (CH/EU/global). Small mandates (< 100 GB) benefit from Bunny.net, medium ones from Cloudflare, large maybe from Fastly/Akamai.
  2. 02Clarify data residency: must logs stay in CH/EU? If yes, Cloudflare only with Data Localization Suite or directly Bunny.net/Gcore/Infomaniak.
  3. 03Estimate DDoS protection need: client portal with login? Then at minimum enable Cloudflare-Free. Bank level? Akamai or Cloudflare Business plus.
  4. 04Define WAF rule needs: are managed rules enough? Cloudflare Pro is fine. Custom Wirefilter logic? Cloudflare Business or Fastly.
  5. 05Pick DNS provider: separating from CDN provider makes sense if vendor diversity matters. Otherwise piggyback on the CDN provider.
  6. 06Set up PoC: 24 to 48 hours in log-only mode, review logs, fix false positives, only then activate WAF and DDoS protection.

Recommendation by use case

SME fiduciary site, medium traffic, revDSG-strict: Cloudflare Pro plus Data Localization Suite. About USD 25/month plus surcharge for EU region. DDoS protection, WAF with managed rules, EU data residency. Setup effort: a few hours including DNS migration.

Small EU site with low traffic, price-sensitive: Bunny.net plus Bunny DNS plus Bunny Shield. At 100 GB traffic per month around USD 1, plus DNS and Shield add-on. Total under USD 10/month for a small SME site with EU origin and DDoS protection. Our hidden tip for smaller CH/EU mandates.

Purely Swiss-domestic site (law firm with only Swiss clients): Infomaniak DNS plus your own origin server WAF (e.g. ModSecurity on Nginx or a CrowdSec installation). Fully CH-only, DNSSEC included. No global CDN, but pure DSG.

Swiss mandate with global traffic (e.g. fiduciary with international clients): Cloudflare Free or Pro plus Infomaniak as origin. Cloudflare handles CDN/WAF/DDoS, Infomaniak provides origin hosting. Logs can be kept in the EU via Data Localization Suite.

Origin on AWS, AWS stack anyway: AWS CloudFront plus AWS WAF. Deep integration, pay-per-GB transparent. More complex than Cloudflare, but no second vendor relationship. Worth it when the team has AWS experience.

Performance-critical e-commerce platform with dynamic content: Fastly. Cache invalidation under 150 ms global, VCL edge logic. Entry USD 50+/month. Worth it at more than 100k page views per month and tight performance requirements.

Enterprise mandate, bank compliance: Akamai. Entry four to five figures per month. Best edge security, best compliance reports. Not for SMEs, right for bank level.

Developer-focused setup with many domains, US data OK: DNSimple. Clean API, good audit logs. Plans for DNS only - no CDN/WAF.

Anti-patterns and pitfalls

The most common mistake at smaller mandates is using no DDoS and WAF protection at all. Argument: "We are too small, no one will come anyway." Reality: law firm and fiduciary sites are targets of credential stuffing and targeted probing of client portals. Setting up Cloudflare-Free in half an hour closes that gap at no cost - no excuse.

The second common mistake is vendor entanglement. We have seen mandates with DNS at Infomaniak, origin at Hetzner, CDN at Cloudflare, and WAF additionally at AWS WAF. Four vendor relationships, four logins, four invoices - for a site that could happily run on Cloudflare alone. Consolidation here is not stinginess but operational hygiene.

The third mistake: Cloudflare-Free in production for clients with real revDSG requirements without Data Localization Suite. Cloudflare-Free routes WAF logs to the US. For a lawyer with professional-secrecy data in login forms, that is a third-country transfer problem. Solution: either buy Data Localization Suite (surcharge) or pick an EU-origin provider like Bunny.net or Gcore.

Mind DNSSEC. Cloudflare and Bunny.net now support DNSSEC (as of May 2026), AWS Route 53 also, DNSimple and Infomaniak for longer. But: DNSSEC must be enabled explicitly, often off by default. Whoever does not enable it does not get the protection.

Last pitfall: WAF default rules sometimes block legitimate requests (for instance an internal tool sending unusual headers). Before a production rollout, always run in "log-only" mode for 24 to 48 hours, review logs, then activate.

Trade-offs

STRENGTHS

  • Cloudflare: best free tier worldwide, market standard, huge feature set
  • Bunny.net: best price-performance ratio for small EU sites
  • Infomaniak: only pure Swiss solution with pure DSG
  • Fastly: extremely fast cache invalidation, strong edge logic
  • Akamai: enterprise compliance, bank-level security

WEAKNESSES

  • Cloudflare: free-tier logs in US - Data Localization Suite costs extra
  • AWS CloudFront: complex to configure outside the AWS stack
  • Akamai: four to five figure entry price per month
  • DNSimple: US hosting, no CDN/WAF - DNS only
  • Infomaniak: no CDN, no global WAF - Swiss DNS only

FAQ

Is Cloudflare-Free really enough for an SME?

For pure marketing sites without login: yes, unconditionally. Unlimited DDoS protection, basic bot filters, free SSL. As soon as a client portal, a contact form with sensitive data, or an API endpoint is in play, the jump to Pro (USD 25/month) pays off - better WAF rules, rate limiting, image optimisation. For revDSG-strict mandates, Data Localization Suite (surcharge) is added.

How does Bunny.net compare to Cloudflare in price?

Cloudflare is flat-rate (Free, USD 25 Pro, USD 250 Business, Enterprise individual). Bunny.net is pay-per-GB (USD 0.005-0.06 per region). Concretely: a small fiduciary site with 50 GB traffic per month pays about USD 0.50 at Bunny.net plus DNS and Shield add-on (about USD 2 together) - under USD 3. Cloudflare-Free covers the same, but without EU log residency. For EU residency: Bunny.net 3 USD/month vs. Cloudflare Pro plus DLS 30+ USD/month.

What happens at a Cloudflare outage?

Cloudflare has had two larger global outages in the last three years (two to four hours each). Anyone hosting without a fallback is offline during that time. Solution: multi-CDN setup (Cloudflare plus Bunny.net or Fastly as backup) with DNS failover. Only worthwhile from mandates with hard SLA requirements - SME setups usually tolerate the few hours if they are rare enough.

Can I combine Infomaniak DNS plus Cloudflare CDN?

Yes, that is a clean solution. Infomaniak holds the authoritative DNS zone in CH (DNSSEC enabled), CNAME record points to a Cloudflare hostname, Cloudflare handles CDN/WAF/DDoS. Pro: DNS from CH, CDN/WAF global. Con: two vendor relationships instead of one. Worth it when DNS residency in CH is especially important (for instance for public-sector mandates).

Related topics

CLOUDFLARE · TECH STACKCloudflare as DNS, reverse proxy, and WAF: SSL modes, cache rules, origin certificatesHETZNER · TECHHetzner as EU hosting for Swiss fiduciaries and SMEs: data centres, contracts, costNGINX · TECH STACKNginx as reverse proxy: SSL, rate limits, and security headers for containerised appsSERVER & INFRASTRUCTURE · SERVICEServer & Infrastructure: Ubuntu, Docker, monitoring – set up, hardened, handed overMANAGED · SERVICEManaged Service & Monitoring: we keep it running, you use it

Sources

  1. Cloudflare Plans - Free, Pro, Business, Enterprise · 2026-05
  2. Bunny.net Pricing - CDN, DNS, Shield · 2026-05
  3. Fastly Pricing - Edge Cloud Platform · 2026-04
  4. Gcore - CDN and DNS pricing · 2026-04
  5. Infomaniak DNS Service - Swiss DNS with DNSSEC · 2026-04

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call