Outsourcing stuff like DNS is just a continuation of the trend of sending
your workloads onto someone else's cloud.  It seems easy -- right up until
it isn't working the way you want it to.


Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast 

This is also flexible enough to deal with DNSSEC signature expiration, AA missing on authoritative responses etc., either by configuration on the recursives themselves or by forwarding specific domains to specific outside recursives. 

Maintaining it requires work, it's not a plug and forget solution; but it provides a good balance of performance, security and operational flexibility. 


Rubens