Curious Cloudflare DNS behavior

Rubens Kuhl rubensk at
Sat May 30 20:27:05 UTC 2020

> Outsourcing stuff like DNS is just a continuation of the trend of sending
> your workloads onto someone else's cloud.  It seems easy -- right up until
> it isn't working the way you want it to.
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing
threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (, etc.) in order
to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link
Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast

This is also flexible enough to deal with DNSSEC signature expiration, AA
missing on authoritative responses etc., either by configuration on the
recursives themselves or by forwarding specific domains to specific outside

Maintaining it requires work, it's not a plug and forget solution; but it
provides a good balance of performance, security and operational

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list