Curious Cloudflare DNS behavior

• Previous message (by thread): Curious Cloudflare DNS behavior
• Next message (by thread): Curious Cloudflare DNS behavior
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
>
>
> Outsourcing stuff like DNS is just a continuation of the trend of sending
> your workloads onto someone else's cloud.  It seems easy -- right up until
> it isn't working the way you want it to.
>
>
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing
threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order
to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link
Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast

This is also flexible enough to deal with DNSSEC signature expiration, AA
missing on authoritative responses etc., either by configuration on the
recursives themselves or by forwarding specific domains to specific outside
recursives.

Maintaining it requires work, it's not a plug and forget solution; but it
provides a good balance of performance, security and operational
flexibility.


Rubens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200530/e1e278f7/attachment.html>

• Previous message (by thread): Curious Cloudflare DNS behavior
• Next message (by thread): Curious Cloudflare DNS behavior
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]