Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure.
Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -----Original Message----- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion, then won't our name server still be an open resolver? It needs to be that way so that the mail server can resolve its requests against it. In theory, I only need our name server to be recursive on requests from our mail server and to be non-recursive for everyone else. However, I haven't seen any way to configure that. Thanks, Ben -----Original Message----- From: Sanford Whiteman Sent: Friday, March 15, 2013 6:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, forwarding and recursion are tied together; turn off one > and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). > So if I turn off recursion and forwarding, then all my DNS requests > will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the "root servers" sure won't. > I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. > but I am also under the impression that resolving only through root > servers is bad. It's not "bad," it doesn't exist. > Since MS seems to recommend forwarding I doubt that... > With a stub zone, queries to URIBL.com are resolved directly through > the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
