Test suggestions
- qname minimization - test with forwarding when ISP is messing DNS (inspiration from https://gitlab.labs.nic.cz/turris/openwrt/issues/236 )
- test TCP blocking on port 53
- Test max packet length - related to ENDS (some firewalls assume max DNS packet length 512 bytes)
- Test DNSSEC validation of wildcard record on NSEC3 signed domain (it was a bug in Bind < 9.9.0)
- Test DNS-over-TLS - It's new protocol but it sounds reasonable (from ISP as we know them :-) ) to block that. Test could be some equivalent of openssl s_client -connect ‘1.1.1.1:853’
- redirection of all packets on port 53 to recursive resolver - https://gitlab.labs.nic.cz/knot/deckard/issues/39#note_95910