Doesn't control over DNS require blocking port 53 against rogue (non-official) DNS servers?
Yes. This is a critical best practice for all customers, with or without DNS Edge.
Does introducing another DNS layer decrease performance, or increase latency?
Not in any meaningful way. If DNS Edge Service Points are deployed as intended, close to client networks, DNS latency and response time should be improved overall versus a remote caching server.
How do we direct DNS traffic to Service Points? Do we have to re-IP existing DNS or update DHCP and DNS IPS on servers?
Our suggestion is to start with redirecting DHCP clients to the IP address of the service point, and then work through statically-configured hosts as needed. It's possible to re-IP the existing DNS infrastructure instead, but this is potentially more disruptive.
How can I safeguard my clients against possible Service Point failure?
If you're worried about this, add the IP address of your original DNS server to your clients as a secondary DNS server, after the Service Point's IP address.
How many queries per second can the Service Points handle?
DNS Edge requires a change in thought and approach when it comes to architecting a solution. Each Service Point is stress-tested to handle up to 20,000 queries per second if queries are logged to the Edge Cloud Console, and up to 6,000 queries per second if the queries are logged to a custom logging endpoint or both, but customers are encouraged to install as many Service Points as they would like.
What's the impact of number or size of policies on QPS?
We don't have a full spectrum of policy complexity versus QPS as a measurement. We have successfully tested multiple policies with hundreds of thousands of domains associated with them. There has been no measurable impact to QPS in these tests, and we will continue to work with customer use cases to ensure we maintain this level of performance.
What about DDNS updates? What about zone transfers?
DDNS clients and DNS servers communicate directly to perform DDNS updates and zone transfers. DNS Edge doesn't interfere with this communication.
Wouldn't a compromised client just use IP addresses (or its control channel for resolution) and avoid DNS?
This is certainly possible, however the vast majority of malware relies on DNS because the location of the command and controls (C2) resources must be constantly moved to avoid other security controls, which makes DNS even more critical for them to function properly.
What actions are available using the API? If I can do it in the GUI can I do it using the API?
Yes: all operations/actions are available using the API. For detailed information about the API, see the DNS Edge User Guide (click in the top navigation bar in DNS Edge), which includes API documentation.