Stub-resolvers do not got much attention in the DNS world. They are frequently dumb and simple, that is fine in some situations. Cloudflare operates systems all over the world that do lots of DNS requests, those requests are highly time critical with high reliability requirement. We have evolved the system from simple Unix stub resolver to resolver on each box, through a series of tiered setups. In each step of the way we tried to measure the performance impacts and document the failures we encountered on the way.
In addition the modern DNS world with DNSSEC and new transports over DoT, DoH, DoQ really call for obsoleting the old style sub-resolvers.
We will outline the basic operating principles for modern stub-resolvers based on our experiences, both corporate and personal, by operating or testing bind, dnssec-trigger, dnsdist, knot, stubby and unbound.
This talk can be performance heavy or ´what we learned´heavy