I don't know for sure, but I suspect that the philosophy grew out of
security issues during early BIND days, but is still considered to be
"best practice" security-wise. I've seen PowerDNS configured separately
as well.
Phil Leinhauser wrote:
I haven't heard of not using an authoritative DNS as a resolver. Is that
a BIND thing maybe? I'm running MS DNS and have been for many moons with
no problems. I've never had cache corruption and in fact, the only time I
have ever flushed the cache is when I'm testing.
In fact, thinking about it, in AD the DNS servers are always doing both
because they would have the SRV records, etc and they also forward / cache
for the clients.
I *suspect* that there is "enough" benefit if the primary resolver isn't
local, but I must admit I've never seen any measurement.
Generally speaking, it's not a good practice to use an authoritative DNS
server as a resolver as well, at least not without isolating their roles
(IOW it can be done, but it's fairly involved to do well/properly).
That being said, I *think* that if you have a local resolver (accessible
w/out having to go onto the internet), then you'd probably not see any
noticeable difference using that resolver with or without a cache on the
toaster. It certainly doesn't hurt having a cache on the toaster though,
and not needing one is more often the exception (again I *think*).
Phil Leinhauser wrote:
Speaking of DNS...
You guys seem to be running a fairly large setup. Are you running DNS
servers in house? Are you also running DNS caching on QMT?
I'm running 3 DNS servers for my hosted domains and I'm just pointing
QMT
to those. I don't seem to be having any kind of speed problems relating
to DNS. I'm just curious if there really is enough benefit to running
the
QMT w/DNS cache.
Eric Shubert wrote:
Yep. Feels like DNS to me though.
What if you change your DNS configuration around a bit? Flush/disable
the cache (temporarily)? Use different resolvers?
Good call. Changed the resolv.conf to list one of my DNS servers first
and it started working. Should have thought of that; I had a client in
Mexico a couple weeks ago who could no longer send to .com.mx domains
and it ended up being their upstream DNS servers were not resolving .mx
domains.
Thanks!
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
