Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem.
The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -----Original Message----- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -----Original Message----- From: "Sanford Whiteman" <sa...@cypressintegrated.com> Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, > forwarding and recursion are tied together; turn off one > and you lose > both. Incorrect. Turning off recursion turns off forwarders, but not vice > versa. You can have a perfectly operating recursive MS DNS server that > does not delegate recursion to any other server (forwarding amounts to > delegating recursion, but the server as a whole is still recursive, thus > the unidirectional relationship between the two settings). You only MUST > use forwarders if you are not allowed to pass DNS requests out past your > ISP's border (similar to when you have to use the ISP's outbound SMTP > gateway). > So if I turn off recursion and forwarding, then all my DNS > requests > will have to go to the root servers for resolution. No, if you > turn off recursion completely, you can't get responses for domains that > aren't on your box. No one is going to do it for you -- the "root servers" > sure won't. > I do understand the dangers of being an open resolver You're > mixing up a lot of terms here. An open resolver is one that will perform > recursive lookups for any address on the open internet. > but I am also > under the impression that resolving only through root > servers is bad. > It's not "bad," it doesn't exist. > Since MS seems to recommend forwarding > I doubt that... > With a stub zone, queries to URIBL.com are resolved > directly through > the URIBL Name servers... ... and there is no reason to > go down this road. If you can get DNS requests past your ISP, there's no > reason to have forwarders. -- S. --- This E-mail came from the > Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to > imail...@declude.com, and type "unsubscribe Declude.JunkMail". The > archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.