Just thinking out loud:
> There is only about 1000 endpoints of various types, from residential
Having worked with Unbound and dnsmasq, I would say the proverb "right
tool for the right job applies." I would guess not all 1000 endpoints
are on one subnet, maybe half-dozen, correct? If you had dnsmasq running
an instance for each subnet, then that might be a bit more reasonable.
If you want just one VM and one server, then I might suggest Unbound.
Its as easy to configure, and you can just recurse the global Internet
instead of forward (or forward or both or whatever). If you don't
DHCP-DNS in one, then Unbound is going to work for you.
> It only came about because I noticed the quantity of traffic to other
resolvers was a lot more than I expected and I guessed caching would
improve the experience for the end users.
That depends on a lot of things. Statistics would need to be collected
to be sure. Compare common cache queries that expire versus unique
queries. If your cache pushes "google.com" out, then that may be a
problem. If its all the click bait on news sites creating unique DNS
lookups to a rotating army of ad-sites, then there isn't much to do.
> The only things I use are setting minimum cache ttl to 30 mins...
That is pushing the edge for certain cases. Server rotation may make
some clients connectivity go dead for that 30 mins. Small business
customers with small business web-site/email providers can suffer worse
when small business server farm providers make things "difficult."
Hope it helps.
Dnsmasq-discuss mailing list