> That's when the JM scores got so high. I'm testing a different > config now: allow recursion on the Forwarders tab, but disable it on > the Advanced tab. I won't know if this works until I get some > messages. In the meanwhile, can anyone explain this to me?
You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
