On Thu, 8 May 2008 00:03:30 -0500, Sam Fourman Jr. wrote: >On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: >> >> Sam Fourman Jr. wrote: >> >> > I assume that if I want to host email for 10 different domains I have >> >> If you're currently using a setup that involves the same IP >> >> address for both authoritative (domains you host) and recursive >> >> queries (client DNS requests), you should get these split onto >> >> separate addresses. > >What I am really after is, well it is probably a fine line.... the >most secure DNS can be while still providing the outside world >recursive queries. >because there is no real (sane) way to host email servers and not >provide recursive queries.
Why do you believe that? Nobody's DNS ever needs to provide recursion for any but its local users and hosting mailservers doesn't change anything. Try googling for: dns recursion bad or just read http://tinyurl.com/58wv6m for an example of what you can let yourseld in for. Even Microsoft knows better. (5th link found by Google) and the 4th link is a pdf from us-cert.gov about " The Continuing Denial of Service Threat Posed by DNS Recursion" botnets and phishers will love you if you don't block recursive queries from outside your citadel. > >Sam Fourman Jr. > You don't need to CC me. I'm subscribed. Replies to my list address (From:) get tarpitted except from the list servers. Reply-to: works fine though, but you don't need it. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
