nanog mailing list archives
Re: Curious Cloudflare DNS behavior
From: Rubens Kuhl <rubensk () gmail com>
Date: Sat, 30 May 2020 17:27:05 -0300
Outsourcing stuff like DNS is just a continuation of the trend of sending your workloads onto someone else's cloud. It seems easy -- right up until it isn't working the way you want it to.
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing threat blocking via DNS is. So, my preferred recursive DNS setup is: - Caching recursive server on ISP's premises - Unbound or Knot Resolver based - Root zone authoritatives to increase both privacy and performance - Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order to get the best CDN performance for the access customers - Forwarding of all non-CDN traffic to security-focused DNS recursives link Umbrella, Cloudflare, Norton, Quad-9 etc. - IGP-based anycast This is also flexible enough to deal with DNSSEC signature expiration, AA missing on authoritative responses etc., either by configuration on the recursives themselves or by forwarding specific domains to specific outside recursives. Maintaining it requires work, it's not a plug and forget solution; but it provides a good balance of performance, security and operational flexibility. Rubens
Current thread:
- Curious Cloudflare DNS behavior John Sage (May 29)
- Re: Curious Cloudflare DNS behavior Havard Eidnes via NANOG (May 29)
- Re: Curious Cloudflare DNS behavior Mark Milhollan (May 30)
- Re: Curious Cloudflare DNS behavior Constantine A. Murenin (May 30)
- Re: Curious Cloudflare DNS behavior Saku Ytti (May 30)
- Re: Curious Cloudflare DNS behavior John Sage (May 30)
- Re: Curious Cloudflare DNS behavior Ryan Hamel (May 30)
- Re: Curious Cloudflare DNS behavior Joe Greco (May 30)
- Re: Curious Cloudflare DNS behavior Rubens Kuhl (May 30)
- RE: Curious Cloudflare DNS behavior Keith Medcalf (May 31)
- Re: Curious Cloudflare DNS behavior Joe Greco (May 31)
- Re: Curious Cloudflare DNS behavior Saku Ytti (May 30)