> The challenge for me is in not using forwarding.  For MS DNS
> servers,  forwarding and recursion are tied together; turn off one
> and you lose  both.

Incorrect. Turning off recursion turns off forwarders, but not vice

You can have a perfectly operating recursive MS DNS server that does
not delegate recursion to any other server (forwarding amounts to
delegating recursion, but the server as a whole is still recursive,
thus the unidirectional relationship between the two settings).

You only MUST use forwarders if you are not allowed to pass DNS
requests out past your ISP's border (similar to when you have to use
the ISP's outbound SMTP gateway).

> So if I turn off recursion and forwarding, then all my DNS requests
> will have to go to the root servers for resolution.

No, if you turn off recursion completely, you can't get responses for
domains that aren't on your box. No one is going to do it for you --
the "root servers" sure won't.

> I do understand the dangers of being an open resolver

You're mixing up a lot of terms here. An open resolver is one that
will perform recursive lookups for any address on the open internet.

> but I am also under the impression that resolving only through root
> servers is bad.

It's not "bad," it doesn't exist.

> Since MS seems to recommend forwarding

I doubt that...

> With a stub zone, queries to URIBL.com are resolved directly through
> the URIBL Name servers...

... and there is no reason to go down this road. If you can get DNS
requests past your ISP, there's no reason to have forwarders.

-- S.

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to