I understand why US government agencies are told to use US government-backed DNS service, but advice for enterprise network’s is weird for me. SOHO, small and medium companies have really small IT resources, so operating crucial DNS service in secure manner is quite a burden. Mind it that you can chain recursive DNS resolvers, so internal domains may be resolved locally, but all other by external, third-party service. That external service also does some blocklist(thread feed)-based filtering and secures against some types of attacks on DNS system.
Appears to me that 3rd party DNS resolver is OK as long as it uses encrypted DNS; e.g. Cloudflare, etc..
Externaly hosted but owned and operated by enterprise staff. I will read rest of it later to check whether chaining enterprise DNS resolver to third-party is allowed.
