> The challenge for me is in not using forwarding. For MS DNS > servers, forwarding and recursion are tied together; turn off one > and you lose both.
Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). > So if I turn off recursion and forwarding, then all my DNS requests > will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the "root servers" sure won't. > I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. > but I am also under the impression that resolving only through root > servers is bad. It's not "bad," it doesn't exist. > Since MS seems to recommend forwarding I doubt that... > With a stub zone, queries to URIBL.com are resolved directly through > the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.