Very succinct. But I need further explanation...
Forget forwarding. We'd like to keep it to off-load the server and network
traffic, but we can live without. However, I need one server to be both
recursive for our mail server and non-recursive for our authoritative zones.
We don't have to worry about our internal workstations because those I can
set up to directly use the Comcast DNS servers (small network so I don't
need internal DNS). But the mail server presents us the same kind of
problem.
The perfect solution would be a setting that tells the MS DNS server to
accept recursive requests only from specified client IPs, but I don't see
any way to do that. Any ideas?
Thanks,
Ben
-----Original Message-----
From: Scott Fosseen
Sent: Friday, March 15, 2013 10:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?
Another way to look at it.
Recursion:
Off: DNS server can only answer queries from its local zone files.
Queries for any other records returns no results. Used when server is
authoritative for Public domains (declude.com, nasa.gov)
On: DNS server will try to answer all Queries. If it does not know the
answer it will call out to other DNS servers to get the answer.
( I run both. I have 4 non-recursive DNS servers for hosting zone files,
and 2 recursive DNS servers for workstations to point to. )
Forwarders: Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query,
the DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a
query the DNS server will contact the Root servers and find the answer
itself.
My experience with MS DNS is that forwarders are setup at installation
because the installer assumes a blank forwarder means the DNS server will be
unable to lookup addresses. Because DNS works with a forwarder the setting
gets left on. About the only time I recommend forwarders is if the site
uses something like OpenDNS for Content Filtering, in which case all queries
should go tot he OpenDNS servers.
-----Original Message-----
From: "Sanford Whiteman" <sa...@cypressintegrated.com>
Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?
> The challenge for me is in not using forwarding. For MS DNS > servers,
> forwarding and recursion are tied together; turn off one > and you lose
> both. Incorrect. Turning off recursion turns off forwarders, but not vice
> versa. You can have a perfectly operating recursive MS DNS server that
> does not delegate recursion to any other server (forwarding amounts to
> delegating recursion, but the server as a whole is still recursive, thus
> the unidirectional relationship between the two settings). You only MUST
> use forwarders if you are not allowed to pass DNS requests out past your
> ISP's border (similar to when you have to use the ISP's outbound SMTP
> gateway). > So if I turn off recursion and forwarding, then all my DNS
> requests > will have to go to the root servers for resolution. No, if you
> turn off recursion completely, you can't get responses for domains that
> aren't on your box. No one is going to do it for you -- the "root servers"
> sure won't. > I do understand the dangers of being an open resolver You're
> mixing up a lot of terms here. An open resolver is one that will perform
> recursive lookups for any address on the open internet. > but I am also
> under the impression that resolving only through root > servers is bad.
> It's not "bad," it doesn't exist. > Since MS seems to recommend forwarding
> I doubt that... > With a stub zone, queries to URIBL.com are resolved
> directly through > the URIBL Name servers... ... and there is no reason to
> go down this road. If you can get DNS requests past your ISP, there's no
> reason to have forwarders. -- S. --- This E-mail came from the
> Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to
> imail...@declude.com, and type "unsubscribe Declude.JunkMail". The
> archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
