On 26 Mar 2014, at 19:06, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Wed, Mar 26, 2014 at 12:16:50PM -0500, deoren wrote: > >>> I use powerdns recursor locally on my MX. It is designed for, targeted >>> at, extremely high volume query loads, e.g. ISP environments, thus >>> logging such failures would be useless due to the sheer volume. Think >>> web pages containing multiple broken/dead links, then multiply times >>> millions of page loads per day. >> >> Thanks for the recommendation and thanks also for confirming that it seems >> to be a widespread thing. I'll look into powerdns recursor requirements and >> give it a spin. > > You probably don't need a particularly exotic recursive nameserver. > Ones that are optimized for performance, may not be optimized for > security. If you want something other than BIND consider "unbound". Also, if it does not need to serve network clients, you can bind it to localhost only. We use BIND as a local stub resolver on our relay servers, which intercepts requests to our local rbldnsd, and forwards everything else to our set of Unbound recursors elsewhere on the network. Verify that it starts before everything else that is dependent on DNS, on boot, so it's up when Postfix starts. Mvg, Joni
