Resolver allows cache snooping by default
By default all requests without the RD bit are satisfied from cache or SERVFAIL.
This can be a privacy issue in smaller networks as it allows checking whether a certain name has been asked or not.
Unbound for example doesn't enable
allow_snoop by default, so it'd be nice to do that (or at least have an option to turn it off) https://www.unbound.net/documentation/unbound.conf.html