[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Curious Cloudflare DNS behavior
- Subject: Curious Cloudflare DNS behavior
- From: rubensk at gmail.com (Rubens Kuhl)
- Date: Sat, 30 May 2020 17:27:05 -0300
- In-reply-to: <[email protected]>
- References: <[email protected]> <CAPKkNb5U5n9eyyW+jwbz-nfnVKjKQWenptz3U1QK+PqOF5D4=g@mail.gmail.com> <[email protected]>
>
>
>
> Outsourcing stuff like DNS is just a continuation of the trend of sending
> your workloads onto someone else's cloud. It seems easy -- right up until
> it isn't working the way you want it to.
>
>
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing
threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order
to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link
Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast
This is also flexible enough to deal with DNSSEC signature expiration, AA
missing on authoritative responses etc., either by configuration on the
recursives themselves or by forwarding specific domains to specific outside
recursives.
Maintaining it requires work, it's not a plug and forget solution; but it
provides a good balance of performance, security and operational
flexibility.
Rubens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200530/e1e278f7/attachment.html>