Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. )
Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -----Original Message----- From: "Sanford Whiteman" <sa...@cypressintegrated.com> Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, > forwarding and recursion are tied together; turn off one > and you lose both. > Incorrect. Turning off recursion turns off forwarders, but not vice versa. > You can have a perfectly operating recursive MS DNS server that does not > delegate recursion to any other server (forwarding amounts to delegating > recursion, but the server as a whole is still recursive, thus the > unidirectional relationship between the two settings). You only MUST use > forwarders if you are not allowed to pass DNS requests out past your ISP's > border (similar to when you have to use the ISP's outbound SMTP gateway). > > So if I turn off recursion and forwarding, then all my DNS requests > will > have to go to the root servers for resolution. No, if you turn off recursion > completely, you can't get responses for domains that aren't on your box. No > one is going to do it for you -- the "root servers" sure won't. > I do > understand the dangers of being an open resolver You're mixing up a lot of > terms here. An open resolver is one that will perform recursive lookups for > any address on the open internet. > but I am also under the impression that > resolving only through root > servers is bad. It's not "bad," it doesn't > exist. > Since MS seems to recommend forwarding I doubt that... > With a stub > zone, queries to URIBL.com are resolved directly through > the URIBL Name > servers... ... and there is no reason to go down this road. If you can get > DNS requests past your ISP, there's no reason to have forwarders. -- S. --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just > send an E-mail to imail...@declude.com, and type "unsubscribe > Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.