1. If you have zones for which you are authoritative, you must allow
traffic on UDP and TCP port 53 from public DNS Clients, to allow lookups for
your zones.
of course, auth NS, recursion disabled, must permit port 53 access
2. If you have DNS Clients that need to do public DNS lookups (lookups of
zones for which your MSDNS servers are non-authoritative), AND you want to
use the same MSDNS servers that are serving your authoritative zones, you
must enable recursion on your MSDNS servers.
best security, any brand of DNS, is to two have 2 DNS, one is auth
only, the other is recursive only.
3. Allowing recursion on authoritative servers for the public Internet is
not recommended.
it's a vulnerability for being DOSsed with 1000s of recursive
queries, and filling up your cache with junk queries, positive and
negative. But I really haven't heard of many attacks of this nature.
5. Given the rules, the best solutions are (1) Have public, non-recursive
MSDNS servers for your authoritative zones
yep
, and set up private recursive
MSDNS servers for your internal use
... while firewall blocking access from Internet
, or (2) Use DNS server software OTHER
than MSDNS to do the job(s).
another option
Even with BIND that can handle internal/external views, ACLs, etc.,
the best is auth DNS no recursion, and another DNS for recursion-only.
I'm sure there are DNS-huh? lurkers here, so some jargon:
1. "authoritative" DNS is one the answers queries for domains for
which is hold the authoritative data (zone files). Any recursive
queries are answered with a referral (for the querier to go query
elsewhere). There is no answer caching in the operation of authoritative DNs.
2. "recursive" DNS is one that accepts to resolve queries (by
querying Internet until an answer is found) for domains for which the
DNS is itself not authoritative. Recursive DNS involves caching answers.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
