diff --git a/src/routes/cloudron.js b/src/routes/cloudron.js
index 2ec5be81d..6103dd6fd 100644
--- a/src/routes/cloudron.js
+++ b/src/routes/cloudron.js
@@ -4,6 +4,7 @@ exports = module.exports = {
     activate: activate,
     dnsSetup: dnsSetup,
     setupTokenAuth: setupTokenAuth,
+    providerTokenAuth: providerTokenAuth,
     getStatus: getStatus,
     reboot: reboot,
     migrate: migrate,
@@ -102,14 +103,22 @@ function setupTokenAuth(req, res, next) {
 
             next();
         });
-    } else if (config.provider() === 'ami') {
-        if (typeof req.query.setupToken !== 'string' || !req.query.setupToken) return next(new HttpError(400, 'setupToken must be a non empty string'));
+    } else {
+        next();
+    }
+}
+
+function providerTokenAuth(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (config.provider() === 'ami') {
+        if (typeof req.body.providerToken !== 'string' || !req.body.providerToken) return next(new HttpError(400, 'providerToken must be a non empty string'));
 
         superagent.get('http://169.254.169.254/latest/meta-data/instance-id').timeout(30 * 1000).end(function (error, result) {
             if (error && !error.response) return next(new HttpError(500, error));
             if (result.statusCode !== 200) return next(new HttpError(500, 'Unable to get meta data'));
 
-            if (result.text !== req.query.setupToken) return next(new HttpError(403, 'Invalid token'));
+            if (result.text !== req.body.providerToken) return next(new HttpError(403, 'Invalid providerToken'));
 
             next();
         });
diff --git a/src/server.js b/src/server.js
index 7a57e2f08..04074f983 100644
--- a/src/server.js
+++ b/src/server.js
@@ -79,7 +79,7 @@ function initializeExpressSync() {
 
     // public routes
     router.post('/api/v1/cloudron/activate', routes.cloudron.setupTokenAuth, routes.cloudron.activate);
-    router.post('/api/v1/cloudron/dns_setup', routes.cloudron.dnsSetup);    // only available until no-domain
+    router.post('/api/v1/cloudron/dns_setup', routes.cloudron.providerTokenAuth, routes.cloudron.dnsSetup);    // only available until no-domain
     router.get ('/api/v1/cloudron/progress', routes.cloudron.getProgress);
     router.get ('/api/v1/cloudron/status', routes.cloudron.getStatus);
     router.get ('/api/v1/cloudron/avatar', routes.settings.getCloudronAvatar); // this is a public alias for /api/v1/settings/cloudron_avatar
diff --git a/webadmin/src/js/setup.js b/webadmin/src/js/setup.js
index bdb074883..64e657f17 100644
--- a/webadmin/src/js/setup.js
+++ b/webadmin/src/js/setup.js
@@ -20,12 +20,11 @@ app.controller('SetupController', ['$scope', '$http', 'Client', function ($scope
     $scope.provider = '';
     $scope.apiServerOrigin = '';
     $scope.setupToken = '';
-    $scope.instanceId = '';
 
     $scope.activateCloudron = function () {
         $scope.busy = true;
 
-        Client.createAdmin($scope.account.username, $scope.account.password, $scope.account.email, $scope.account.displayName, $scope.setupToken || $scope.instanceId, function (error) {
+        Client.createAdmin($scope.account.username, $scope.account.password, $scope.account.email, $scope.account.displayName, $scope.setupToken, function (error) {
             if (error && error.statusCode === 403) {
                 $scope.busy = false;
                 $scope.error = $scope.provider === 'ami' ? 'Wrong instance id' : 'Wrong setup token';
@@ -82,7 +81,6 @@ app.controller('SetupController', ['$scope', '$http', 'Client', function ($scope
         $scope.account.displayName = search.displayName || $scope.account.displayName;
         $scope.account.requireEmail = !search.email;
         $scope.provider = status.provider;
-        $scope.instanceId = search.instanceId;
         $scope.apiServerOrigin = status.apiServerOrigin;
 
         $scope.initialized = true;
diff --git a/webadmin/src/js/setupdns.js b/webadmin/src/js/setupdns.js
index 8709552a7..8bd265d2c 100644
--- a/webadmin/src/js/setupdns.js
+++ b/webadmin/src/js/setupdns.js
@@ -4,11 +4,14 @@
 var app = angular.module('Application', ['angular-md5', 'ui-notification', 'ngTld']);
 
 app.controller('SetupDNSController', ['$scope', '$http', 'Client', 'ngTld', function ($scope, $http, Client, ngTld) {
+    var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});
+
     $scope.initialized = false;
     $scope.busy = false;
     $scope.error = null;
     $scope.provider = '';
     $scope.showDNSSetup = false;
+    $scope.instanceId = '';
 
     // keep in sync with certs.js
     $scope.dnsProvider = [
@@ -36,7 +39,8 @@ app.controller('SetupDNSController', ['$scope', '$http', 'Client', 'ngTld', func
             provider: $scope.dnsCredentials.provider,
             accessKeyId: $scope.dnsCredentials.accessKeyId,
             secretAccessKey: $scope.dnsCredentials.secretAccessKey,
-            token: $scope.dnsCredentials.digitalOceanToken
+            token: $scope.dnsCredentials.digitalOceanToken,
+            providerToken: $scope.instanceId
         };
 
         // special case the wildcard provider
@@ -46,7 +50,11 @@ app.controller('SetupDNSController', ['$scope', '$http', 'Client', 'ngTld', func
         }
 
         Client.setupDnsConfig(data, function (error) {
-            if (error) {
+            if (error && error.statusCode === 403) {
+                $scope.dnsCredentials.busy = false;
+                $scope.error = 'Wrong instance id provided.';
+                return;
+            } else if (error) {
                 $scope.dnsCredentials.busy = false;
                 $scope.dnsCredentials.error = error.message;
                 return;
@@ -84,6 +92,7 @@ app.controller('SetupDNSController', ['$scope', '$http', 'Client', 'ngTld', func
             $scope.dnsCredentials.provider = 'wildcard';
         }
 
+        $scope.instanceId = search.instanceId;
         $scope.provider = status.provider;
         $scope.initialized = true;
     });
diff --git a/webadmin/src/setup.html b/webadmin/src/setup.html
index 822e3b422..1e68e4586 100644
--- a/webadmin/src/setup.html
+++ b/webadmin/src/setup.html
@@ -81,11 +81,6 @@
                                         <small ng-show="setupForm.password.$dirty && setupForm.password.$invalid">Password must be 8-30 character with at least one uppercase, one numeric and one special character</small>
                                     </div>
                                 </div>
-                                <div class="form-group" ng-class="{ 'has-error': setupForm.instanceId.$dirty && (setupForm.instanceId.$invalid || error) }" ng-show="provider === 'ami'">
-                                    <p>Provide the EC2 instance id to verify you are the owner</p>
-                                    <input type="text" class="form-control" ng-model="instanceId" id="inputInstanceId" name="instanceId" placeholder="AWS EC2 instance id" ng-maxlength="20" ng-minlength="10" ng-required="provider === 'ami'" autocomplete="off">
-                                    <p ng-show="error" class="has-error">{{ error }}</p>
-                                </div>
                             </div>
                         </div>
                         <div class="row">
diff --git a/webadmin/src/setupdns.html b/webadmin/src/setupdns.html
index 5eb97f24a..730e31ada 100644
--- a/webadmin/src/setupdns.html
+++ b/webadmin/src/setupdns.html
@@ -102,6 +102,17 @@
                                 </p>
                             </div>
                         </div>
+                        <div class="row" ng-show="provider === 'ami'">
+                            <div class="col-md-10 col-md-offset-1 text-center">
+                                <br/>
+                                <h3>Owner verification</h3>
+                                <p>Provide the EC2 instance id to verify you have access to this server.</p>
+                                <div class="form-group" ng-class="{ 'has-error': dnsCredentialsForm.instanceId.$dirty && (dnsCredentialsForm.instanceId.$invalid || error) }">
+                                    <input type="text" class="form-control" ng-model="instanceId" id="inputInstanceId" name="instanceId" placeholder="AWS EC2 instance id" ng-maxlength="20" ng-minlength="10" ng-required="provider === 'ami'" autocomplete="off">
+                                </div>
+                                <p>&nbsp;<span ng-show="error" class="text-danger">{{ error }}</span></p>
+                            </div>
+                        </div>
                         <div class="row">
                             <div class="col-md-12 text-center">
                                 <button type="submit" class="btn btn-primary" ng-disabled="dnsCredentialsForm.$invalid"/><i class="fa fa-circle-o-notch fa-spin" ng-show="dnsCredentials.busy"></i> Next</button>