Another way to look at it.

Recursion:
  Off: DNS server can only answer queries from its local zone files.  Queries 
for any other records returns no results.  Used when server is authoritative 
for Public domains (declude.com, nasa.gov)
  On:  DNS server will try to answer all Queries.  If it does not know the 
answer it will call out to other DNS servers to get the answer.
( I run both.  I have 4 non-recursive DNS servers for hosting zone files, and 2 
recursive DNS servers for workstations to point to.  )

Forwarders:  Valid only if Recurion is on.
    If Forwarder is set and DNS server does not know the answer to a query, the 
DNS server will ask the Forwarder DNS server for the answer.
    If no Forwarder is set and the DNS server does not know the answer to a 
query the DNS server will contact the Root servers and find the answer itself.

My experience with  MS DNS is that forwarders are setup at installation because 
the installer assumes a blank forwarder means the DNS server will be unable to 
lookup addresses.  Because DNS works with a forwarder the setting gets left on. 
 About the only time I recommend forwarders is if the site uses something like 
OpenDNS for Content Filtering, in which case all queries should go tot he 
OpenDNS servers.



-----Original Message-----
From: "Sanford Whiteman" <sa...@cypressintegrated.com>
Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

> The challenge for me is in not using forwarding. For MS DNS > servers, 
> forwarding and recursion are tied together; turn off one > and you lose both. 
> Incorrect. Turning off recursion turns off forwarders, but not vice versa. 
> You can have a perfectly operating recursive MS DNS server that does not 
> delegate recursion to any other server (forwarding amounts to delegating 
> recursion, but the server as a whole is still recursive, thus the 
> unidirectional relationship between the two settings). You only MUST use 
> forwarders if you are not allowed to pass DNS requests out past your ISP's 
> border (similar to when you have to use the ISP's outbound SMTP gateway). > 
> So if I turn off recursion and forwarding, then all my DNS requests > will 
> have to go to the root servers for resolution. No, if you turn off recursion 
> completely, you can't get responses for domains that aren't on your box. No 
> one is going to do it for you -- the "root servers" sure won't. > I do 
> understand the dangers of being an open resolver You're mixing up a lot of 
> terms here. An open resolver is one that will perform recursive lookups for 
> any address on the open internet. > but I am also under the impression that 
> resolving only through root > servers is bad. It's not "bad," it doesn't 
> exist. > Since MS seems to recommend forwarding I doubt that... > With a stub 
> zone, queries to URIBL.com are resolved directly through > the URIBL Name 
> servers... ... and there is no reason to go down this road. If you can get 
> DNS requests past your ISP, there's no reason to have forwarders. -- S. --- 
> This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just 
> send an E-mail to imail...@declude.com, and type "unsubscribe 
> Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to