Shared private resolver operators are typically ISPs or similar hosting service providers. They offer DNS resolution services to their customers (mobile, cable/DSL/fiber residential and commercial users, as well as hosted servers and applications). Access is usually determined by the source IP address of the client or host sending the queries. The client or host is using the ISP to access the rest of the Internet. These resolvers are normally shared between many different customers (although an ISP may decide to segment clients based on their type – home/residential DSL and fiber, mobile, commercial, etc.).
There are two types of best practices for shared private recursive resolver operators: DNS security, and DNS availability and resilience. In addition to these two categories specific to the core DNS, all operators must pay careful attention to practices related to hardening their core system security.
DNSSEC validation MUST be enabled for recursive resolvers.
ACL statements MUST be used to restrict who may send recursive queries to your DNS resolvers/validators.
(Privacy consideration): QNAME minimization MUST be enabled to mitigate leakage of domain names.
Authoritative and recursive DNS service MUST NOT coexist on the same DNS server.
Your recursion services MUST have resilience by using at least two distinct servers that take diversity into consideration.
Monitoring of the services, servers, and network equipment that make up your DNS infrastructure MUST be implemented.
(Privacy consideration): DoT (DNS-over-TLS) or DoH (DNS-over-HTTPS) SHOULD be enabled. Deploying either is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries between stub and recursive resolvers, or between a forwarding and recursive resolver.