Am 26.02.2014 17:30, schrieb Viktor Dukhovni: >> no - the two dns servers are already in the LAN and working >> >> they are trusted and if i do not trust my own LAN i also can >> not trust a forwarder running on 127.0.0.1 asking them > > Without an anti-spoofing firewall, remote name servers may be able > to forge DNS replies that appear to come from your LAN. It is not > always obvious whether such protection is in place and is robust
in my case the LAN nameservers are not reachable from the WAN at all and they are doing recursion / caching without any foreign forwarder the firewall in front of the mailserver does not allow addresses with a LAN IP coming in trough the WAN interface that's why I wanted to make clear if the limitation is a strong technical one or "only" highly recommended
