On Wed, May 7, 2008 at 11:03 PM, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote: > On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: ... >>>> If you're currently using a setup that involves the same IP >>>> address for both authoritative (domains you host) and recursive >>>> queries (client DNS requests), you should get these split onto >>>> separate addresses. > > What I am really after is, well it is probably a fine line.... the > most secure DNS can be while still providing the outside world > recursive queries. > because there is no real (sane) way to host email servers and not > provide recursive queries.
We all agree that you need to provide recursive DNS service to the hosts that are your MTAs and that you need to answer DNS queries about your own zones from any host out there. However, you do not need to provide *recursive* service to random outside hosts on the Internet at large in order to send and receive email. That is, your servers can and should refuse to answer a DNS query that asked for, for example, the address of www.openbsd.org. If you think otherwise, please cite references. Philip Guenther
