Re: [Declude.JunkMail] why have spam scores jumped?
Ben, you'd find Simple DNS Plus an easy cross-grade. We have used it exclusively for all user-facing DNS for many years. We only use MS DNS as a stealth primary. Also, as Andy said, it's hard to believe your authoritiative domains require more than a few dollars a month worth of DNS hosting -- some hosts even have a free plan you might fall under. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
If you're that small - how many PUBLIC domains do you have to be authoritative for? What is the change frequency in a year, that you need this to be on your local DNS. For redundancy and availability purposes, why not host your public DNS at your registry, block incoming DNS queries at your border router/firewall - and set up your strinctly IN-HOUSE DNS server recursive? -Original Message- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Saturday, March 16, 2013 2:04 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem. The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -Original Message- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -Original Message- From: "Sanford Whiteman" Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? > The challenge for me is in not using forwarding. For MS DNS > servers, > forwarding and recursion are tied together; turn off one > and you > lose both. Incorrect. Turning off recursion turns off forwarders, but > not vice versa. You can have a perfectly operating recursive MS DNS > server that does not delegate recursion to any other server > (forwarding amounts to delegating recursion, but the server as a whole > is still recursive, thus the unidirectional relationship between the > two settings). You only MUST use forwarders if you are not allowed to > pass DNS requests out past your ISP's border (similar to when you have > to use the ISP's outbound SMTP gateway). > So if I turn off recursion > and forwarding, then all my DNS requests > will have to go to the root > servers for resolution. No, if you turn off recursion completely, you > can't get responses for domains that aren't on your box. No one is going to > do it for you -- the "root servers" > sure won't. > I do understand the dangers of being an open resolver > You're mixing up a lot of terms here. An open resolver is one that > will perform recursive lookups for any address on the open internet. > > but I am also under the impression that resolving only through root > servers > is bad. > It's not "bad," it doesn't exist. > Since MS seems to recommend > forwarding I doubt that... > With a stub zone, queries to URIBL.com > are resolved directly through > the URIBL Name servers... ... and > there is no reason to go down this road. If you can get DNS requests > past your ISP, there's no reason to have forwarders. -- S. --- This > E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to imail...@declude.com, and type "unsubscribe > Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mai
Re: [Declude.JunkMail] why have spam scores jumped?
Ben, You may be able to run multiple instances of BIND on different IPs on the same server, or a combination of MS DNS and BIND on different IPs on the same server, but you _really_ don't want to. Downsizing redundancy in your nameserver DNS is just plain the wrong thing to do. The reason you're not finding the answers you want is that you're asking the wrong question. Sorry, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 2:51 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Ahhh, yes, but that’s the answer I don't want. Right now, I could take our existing old authoritative DNS server and make it non-recursive, then put a recursive name server on the mail server itself, but listening only to the internal IP and that would seem to follow your suggestion. Although, when I look at the Interface tab in Properties, I don't see a local or 127.0.0.1 IP. Maybe it's that funny IPv6 string I see? The problem is that we're downsizing and consolidating this stuff, so we'd like to move all the DNS functions over to just the mail server and retire the old DNS server. In that case, of course, we only have one DNS server. I've been looking online to see how others might handle this. It seems that BIND can do this one way or another. You might be able to tell it to listen for recursive requests only on certain IPs or you can disable all recursion for the server but then override it for each of your authoritative zones. Unfortunately, I have yet to find either of those features as part of MS DNS and I'm not about to launch into the world of BIND. The second idea was to consolidate the DNS server onto the mail server, enable recursion, but then block recursive requests from the outside world. For example, use a firewall to block recursive requests (but only those that are recursive) from the outside. I found some online discussion of people trying to do this, possibly using port 53, but no indications that anyone actually succeeded. So for now, I'm still stuck. -Original Message- From: Darin Cox Sent: Friday, March 15, 2013 11:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure. Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion, then w