If you're that small - how many PUBLIC domains do you have to be authoritative for? What is the change frequency in a year, that you need this to be on your local DNS.
For redundancy and availability purposes, why not host your public DNS at your registry, block incoming DNS queries at your border router/firewall - and set up your strinctly IN-HOUSE DNS server recursive? -----Original Message----- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Saturday, March 16, 2013 2:04 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem. The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -----Original Message----- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -----Original Message----- From: "Sanford Whiteman" <sa...@cypressintegrated.com> Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, > forwarding and recursion are tied together; turn off one > and you > lose both. Incorrect. Turning off recursion turns off forwarders, but > not vice versa. You can have a perfectly operating recursive MS DNS > server that does not delegate recursion to any other server > (forwarding amounts to delegating recursion, but the server as a whole > is still recursive, thus the unidirectional relationship between the > two settings). You only MUST use forwarders if you are not allowed to > pass DNS requests out past your ISP's border (similar to when you have > to use the ISP's outbound SMTP gateway). > So if I turn off recursion > and forwarding, then all my DNS requests > will have to go to the root > servers for resolution. No, if you turn off recursion completely, you > can't get responses for domains that aren't on your box. No one is going to > do it for you -- the "root servers" > sure won't. > I do understand the dangers of being an open resolver > You're mixing up a lot of terms here. An open resolver is one that > will perform recursive lookups for any address on the open internet. > > but I am also under the impression that resolving only through root > servers > is bad. > It's not "bad," it doesn't exist. > Since MS seems to recommend > forwarding I doubt that... > With a stub zone, queries to URIBL.com > are resolved directly through > the URIBL Name servers... ... and > there is no reason to go down this road. If you can get DNS requests > past your ISP, there's no reason to have forwarders. -- S. --- This > E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to imail...@declude.com, and type "unsubscribe > Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
