[pbarnes_1]

Do queries to github.net stay internal or do you also sync github.net zones to Route53/Dynect ... just in case?

We have a similar setup with unbound and nsd (no need for powerdns for us). Even then it took a while to get it right because JVM apps especially love to hang for no reason doing NS lookups. You also need to specify -Dnetworkaddress.cache.ttl= etc since they don't listen to TTLs.

Running unbound on every single machine has saved us a lot of downtime.

[logicalstack]

Nearly all of our internal zones are internal and not sync'd to an external provider. In a few cases we need to perform lookups of internal zones external to our network and those zones live both internal and external.