Sovereignty Hosting & Domains — Final Ranking / Scoring / Analysis

Bitcoin / FOSS / privacy maximalism anti-capture / anti-platform drift weighted scoring (0–100) last verified: March 2026

This page ranks a short list of hosting / registrar / DNS providers using a sovereignty-first rubric: minimal identity exposure, clean payment rails, jurisdictional resilience, upstream risk awareness, and demonstrated behavior under pressure.

Scoring Framework

Weights are fixed; each criterion is scored 0–100, then combined into a weighted composite.

Payment / KYC / OpSec Surface 30%

Minimizes identity disclosure and avoids compliance-gateway chokepoints. Prefers direct BTC/XMR acceptance over exchange-centric processors.

Reference pressure point: registrar/host obligations have intensified under ICANN DNS abuse enforcement since April 5, 2024 DNS abuse amendments.

Jurisdiction & Legal Shield 25%

Evaluates country-level exposure (5-Eyes proximity, EU/NIS2 drift, surveillance posture), plus ICANN/registry compliance pressures and cross-border enforcement channels.

ICANN compliance reporting illustrates the practical effects of these obligations: ICANN enforcement report (Nov 2024).

Ownership & Upstream Risk 15%

Who holds legal title to a domain; whether the provider is a registrar or a reseller; and whether upstream dependencies (registrar partners, registries, platform roll-ups) add invisible choke points.

Censorship-Resistance & Behavior 15%

Measures proven stance under pressure (raids, injunctions, coordinated “informal” takedown pressure), not just marketing language.

Tech / FOSS / Privacy-by-Design 10%

FOSS posture, privacy-oriented engineering (alt-nets, warrant canaries, DNSSEC/IPv6, self-hosted payment stacks).

Operational Resilience & UX 5%

Stability, maturity, support competence. Important, but cannot compensate for KYC or jurisdictional capture.

Scoring is intentionally “directionally precise”: accurate enough for ranking and trade-off selection, without pretending to 1-point scientific certainty.

Final Ranking (Composite)

Composite = Σ(score × weight). All criterion scores are 0–100.

# Provider Pay/KYC
(30%)		 Juris
(25%)		 Ownership
(15%)		 Behavior
(15%)		 Tech/FOSS
(10%)		 Ops/UX
(5%)		 Composite
1 1984 Hosting
BTC + XMR Iceland FOSS-first
969485889590 92.2
2 PRQ
Raid-tested Sweden/EU drift Confidentiality posture
907578988880 85.0
3 IncogNET
Privacy engineering US jurisdiction Warrant canary
986580829685 83.8
4 OrangeWebsite
Iceland FOE posture 3rd-party processors ToS kill-switch
858570868888 83.4
5 Njalla
WHOIS invisibility Proxy ownership risk Reseller upstream
928055808882 80.7
6 Hurricane Electric Free DNS
Top-tier DNS US backbone DNS-only (not registrar)
756070659595 72.0
7 Gandi
EU compliance Roll-up risk Mainstream registrar
656870728595 71.0
8 Porkbun
ID verification Coinbase Commerce rails Retail registrar
406075608295 60.2
Scope note: “Hurricane Electric Free DNS” is evaluated as an infrastructure component (authoritative DNS hosting), not as a domain registrar or web host. Its placement reflects technical excellence paired with deep US-core positioning. See dns.he.net and related docs (API / dynamic DNS notes).

Provider Analysis

Each section includes per-axis scores, plus evidence links embedded where claims appear.

1) 1984 Hosting — 92.2 / 100

Top all-rounder
Key framing: an “ethical hosting” posture anchored by Iceland + explicit FOSS + direct BTC/XMR payments, without the proxy-ownership risks found in some privacy registrars.

2) PRQ — 85.0 / 100

Censorship-resistance apex
  • Payment / KYC (90): PRQ publicly states confidentiality posture (“don’t even have to know who you are”) (PRQ homepage), and announces BTC payments (PRQ news: “We can now accept BTC payments”).
  • Jurisdiction (75): Sweden is materially more exposed to EU/surveillance drift than Iceland; this is a discount relative to Icelandic providers.
  • Ownership & upstream (78): Hosting-centric; domains still ride ICANN/registry chains; PRQ’s edge is primarily behavior under pressure, not upstream immunity.
  • Behavior (98): PRQ’s history includes raids and high-profile clients; documented widely: Forbes (2012) raid report, plus historical references to The Pirate Bay raid affecting PRQ-hosted servers (Wikipedia: May 2006 raid).
  • Tech/FOSS (88): Solid Linux/FOSS assumptions, but the differentiation is political/behavioral rather than modern privacy-engineering specialization.
  • Ops/UX (80): Smaller, sharper edges; the trade-off is proven resistance posture.
PRQ scores #1 on “stood under direct pressure and stayed standing.” The discount is Sweden/EU drift and smaller operational polish relative to larger, more conventional providers.

3) IncogNET — 83.8 / 100

US jurisdiction discount
  • Payment / KYC (98): Domain registration emphasizes privacy-by-default and crypto acceptance (IncogNET domain registration). Operational privacy posture is documented in the IncogNET privacy policy.
  • Jurisdiction (65): US legal exposure is the primary discount (NSL/gag-order environment risk).
  • Ownership & upstream (80): “Registrar built for privacy enthusiasts” framing and default WHOIS privacy posture (domain page).
  • Behavior (82): Explicitly distinguishes privacy posture from “free for all”; complies with local laws (IncogNET AUP / ToS). Operates a public warrant canary (IncogNET warrant canary).
  • Tech/FOSS (96): Public-facing infrastructure includes privacy projects and alternative-network endpoints (Tor/I2P/Yggdrasil) listed under projects (IncogNET privacy projects).
  • Ops/UX (85): Modern service posture and documentation presence; still downstream of upstream ISPs/DCs (standard risk).
IncogNET is payment/engineering-maximal, with the principal structural risk being US jurisdiction. In threat models tolerant of US exposure, this moves closer to the top tier.

4) OrangeWebsite — 83.4 / 100

Layered upstream + ToS kill-switch
  • Payment / KYC (85): Crypto payments are explicitly supported, including Monero among other coins, but processed via compliance-centric payment partners: OrangeWebsite “Crypto Web Hosting”.
  • Jurisdiction (85): Iceland-based FOE provider positioning is explicit (OrangeWebsite company page), and server location is stated as Reykjavik, Iceland (OrangeWebsite FAQ).
  • Ownership & upstream (70): Domain anonymity can involve registrar chains (e.g., Internet.bs), which introduces upstream dependencies beyond the hosting layer (KYCnot summary).
  • Behavior (86): FOE branding is explicit (company mission statement), but the ToS includes broad termination power (“with or without notice”) (OrangeWebsite ToS).
  • Tech/FOSS (88): Solid hosting stack; privacy posture is emphasized; crypto automation described by the provider (crypto billing flow notes).
  • Ops/UX (88): Established provider (2009–), “Iceland-based” positioning and scale claims are public (company page).
OrangeWebsite is strong on Iceland FOE positioning and supports a wide crypto set, but uses third-party processors (BitPay/CoinPayments) and retains a broad ToS termination lever that must be treated as an explicit structural risk.

5) Njalla — 80.7 / 100

Proxy ownership model
  • Payment / KYC (92): Signup supports email or XMPP (OMEMO/OTR) (Njalla signup). Current payments listed in the FAQ include Bitcoin/Litecoin/Ethereum and PayPal (Njalla FAQ).
  • Jurisdiction (80): Privacy-provider posture is explicit, including “register with our own data” (Njalla about).
  • Ownership & upstream (55): The model is explicitly: Njalla can be the actual registrant (not “ownership by proxy”), while the customer retains control and can move later (Njalla about). Independent reporting describes the service as a Tucows/OpenSRS reseller and notes the practical ownership trade-off (DomainIncite (2017), WebHosting.info (2017)).
  • Behavior (80): Njalla documents legal-pressure handling in its blog (interaction with registrar partner / injunction dynamics) (Njalla legal blog post).
  • Tech/FOSS (88): Anycast DNS and DNSSEC support are listed under domain features (Njalla domains).
  • Ops/UX (82): Generally smooth for ordinary registrations, but the proxy-ownership and upstream-reseller structure is inherently brittle under high-pressure cases.
Njalla maximizes WHOIS invisibility by offering to be the registrant, but the trade is structural: upstream reseller choke points and the fact that registries/courts see Njalla as the holder unless/until transfer occurs.

6) Hurricane Electric Free DNS — 72.0 / 100

DNS component
  • Category: Authoritative DNS hosting platform (dns.he.net), plus API/dynamic DNS options (docs).
  • Pay/KYC (75): Free service reduces billing KYC, but is still US corporate infrastructure.
  • Jurisdiction (60): US-based backbone operator (Hurricane Electric).
  • Tech/FOSS (95) & Ops/UX (95): Mature DNS feature set for forward/reverse records and automation (DNS-only evaluation).
Technically excellent DNS. Strategically, it sits deep inside US-core infrastructure, so it is best treated as a tactical leg rather than a sovereignty anchor.

7) Gandi — 71.0 / 100

Mainstream + roll-up drift
  • Payment / KYC (65): Conventional ICANN registrar posture with standard compliance gravity.
  • Jurisdiction (68): EU/France compliance environment.
  • Ownership & upstream (70): Merger into a larger platform structure documented in: Your.Online press release (Feb 2023) and Gandi’s own update (Mar 2023).
  • Behavior (72): Historically “no-bullshit” branding, but platform roll-up incentives typically align with standardized compliance and risk minimization.
  • Ops/UX (95): Mature mainstream registrar UX.
One of the better mainstream registrars, but structurally inside EU compliance and platform roll-up logic.

8) Porkbun — 60.2 / 100

KYC + exchange rails
  • Payment / KYC (40): Introduced photo ID verification for some accounts via Veriff (Porkbun KB: ID verification).
  • Crypto rails: Crypto payments have been migrated to Coinbase Commerce and Stripe (Porkbun: Pay with Crypto), and support pages reference Coinbase’s onchain payment protocol (Payment options).
  • Jurisdiction (60): US registrar environment.
  • Ops/UX (95): Strong retail UX and tooling; not sovereignty-aligned under this rubric.
Porkbun remains strong as a retail registrar. Under a sovereignty-first rubric, photo-ID verification and exchange-centric payment rails are decisive negatives that overwhelm other positives.

Clusters

A compact way to interpret the ranking in “use-case bands.”

Sovereignty-grade core candidates Top tier

1984 Hosting (Iceland + explicit FOSS + BTC/XMR: about, payments) — best overall anchor.

PRQ (behavior under fire: Forbes raid report, PRQ statement) — censorship-resistance apex.

IncogNET (privacy engineering + warrant canary: domains, canary) — top payment/engineering, discounted by US jurisdiction.

Strong but conditional Second tier

OrangeWebsite (Iceland FOE posture: company) with third-party crypto processors and explicit ToS termination lever (ToS).

Njalla (privacy via registrant substitution: about) with structural ownership/upstream risk documented in independent reporting (DomainIncite).

Tactical / supporting roles Component layer

Hurricane Electric Free DNS is technically excellent authoritative DNS (dns.he.net), but is positioned inside US-core backbone infrastructure (he.net). Best treated as one DNS leg, not as sovereignty root.

Mainstream / non-sovereign Low alignment

Gandi is a privacy-aware mainstream registrar, but now inside a larger platform roll-up (Your.Online merger).

Porkbun is strong retail UX, but introduces photo-ID verification (Veriff KYC) and routes crypto via Coinbase Commerce (crypto page).

Design intent: links are placed directly at the point of each claim (payments, ToS, canaries, enforcement regime), rather than centralized in a back-of-page appendix.