Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
OK, so now I've turned all recursion back on. As it is, I can't see any postings to the group because the SPAM ratings are all too high and they're being deleted. Let's hope things are back to normal. Ben - Original Message - From: IMail Admin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, March 31, 2006 11:12 PM Subject: SPAM [16][Declude.JunkMail] recursion turned off causes higher JM scores? Hi All, I was testing out our domain name at dnsreport.com, and it complained that we had recursion turn on at the DNS server. So I tried turning it off, and suddenly all our JM scores went through the roof. I've got a sample from some personal mail below. It looks to me like IPs weren't being resolved or something, because the it shows that no A or MX recording found in the sending domain, which is absurd. We use MS DNS with MS Win2k Server. There are two places where recursion is listed: on the forwarders tab and on the Advanced tab. I originally had them both turned on, but had then turned them both off. That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? Thanks, Ben Here's the sample header: Received: from mx48.smf.ebay.com [66.135.209.221] by bcw6.bcwebhost.net with ESMTP (SMTPD32-7.15) id A3D6124B014A; Fri, 31 Mar 2006 21:47:02 -0800 Received: from qsxbat02.den.ebay.com (qsxbat02.den.ebay.com [10.4.59.12]) by mx48.smf.ebay.com (8.13.5/8.13.5) with ESMTP id k315khXO011994 for [EMAIL PROTECTED]; Fri, 31 Mar 2006 21:47:01 -0800 DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns; h=x-ebay-mailtracker:to:from:mime-version:content-type:subject:date:message-id; b=GOQb51Mirppc1kbCc7VZ0zjb/JKEjBWm67pXUdsVPwdbg6LsdObHNxCpuuK1lo5aa ZWQdtM/e8OXmGvU6nfAznD3BoCP2Gh2rI3+hPrYVJerePj2O/pH9MuhE0ebfSxUQLaM 84xORpGTDWGmu9gRhchmJl7jCsPv4M5rqinECmg=X-eBay-MailTracker: 10008.0.0.0To: [EMAIL PROTECTED]: [EMAIL PROTECTED]: 1.0Content-Type: multipart/alternative;boundary=8258267.1143870345921.JavaMail.ebba.qsxbat02Subject: SPAM [16]eBay Favorite Search: intel scb2 ataDate: Fri, 31 Mar 2006 21:45:45 PSTMessage-ID: [EMAIL PROTECTED]X-RBL-Warning: HELOBOGUS: Domain mx48.smf.ebay.com has no MX or A records[0001].X-RBL-Warning: MAILFROM: Domain ebay.com has no MX or A records [0001].X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 66.135.209.221with no reverse DNS entry.X-Declude-Sender: [EMAIL PROTECTED] [66.135.209.221]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) forspam.X-Spam-Tests-Failed: HELOBOGUS, MAILFROM, REVDNS, WEIGHT5, WEIGHT10,WEIG HT15, WEIGHT15r, WEIGHT7 [16]X-Note: This E-mail was sent from [No Reverse DNS] ([66.135.209.221]). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] recursion turned off causes higher JM scores?
What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/rel ease/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/rel ease/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail
RE: [Declude.JunkMail] recursion turned off causes higher JM scores?
Don't configure any zones but allow recursion. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep MS DNS as your primary and as your internal recursive DNS. Done. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/rel ease/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send
Re: [Declude.JunkMail] recursion turned off causes higher JM scores?
I see; so it becomes non-authoritative on everything. Do you know what the difference is between the two recursion settings in MS DNS? There is one on the forwarders tab and one on the advanced tab. This is getting a little off-topic, but I appreciate the help anyway and the list looks quiet today. So why is recursion necessary? If I have forwarders configured, wouldn't they either report the answer, or use recursion, or use forwarders themselves? It would seem that forwarders should achieve the same results as recursion. For that matter, what would happen if you enabled recursion but didn't list forwarders? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 10:10 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? Don't configure any zones but allow recursion. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able to resolve zones for which it is not authoritative (i.e. every domain you do not own). You do not need to allow recursion for the wild Internet, however. But MS DNS has a weakness (not a security weakness exactly, but more of a functional one) in that recursion is either on or off, globally, for the DNS service. This means that if you are hosting authoritative zones on the box, and thus need to expose the box to the outside world, and that same box is providing recursive DNS to internal servers or users, then you are effectively providing recursive DNS to the outside world as well (if someone should choose to abuse you for this purpose). The way around this is to use SimpleDNS or BIND on the server you expose to the outside, which both have means of limiting recursion without completely disabling it. The simplest install, to my mind, without a full migration off MS DNS (a full migration causing soluble, but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on the same box by binding each one to a different IP. Expose SimpleDNS without recursion and make it a secondary for the authoritative zones. Keep
RE: [Declude.JunkMail] recursion turned off causes higher JM scores?
Ben, Here is my understanding of Forwarders Recursion If you have forwarders defined then any zone that your DNS is not authoritative for will look to the forwarders to resolve. If you have recursion on then your DNS server will call the root DNS servers and track down the authoritative DNS server for the request. I do not know what will take precedence if you have both defined and enabled. It has been said many times on this list that your ISP frowns on your DNS server using theirs for all the DNS checks that Declude does due to volume. Which goes back to John's point of having a DNS server on your Declude box that does recursive look ups and does not have forwarders defined. Hope it helps Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? I see; so it becomes non-authoritative on everything. Do you know what the difference is between the two recursion settings in MS DNS? There is one on the forwarders tab and one on the advanced tab. This is getting a little off-topic, but I appreciate the help anyway and the list looks quiet today. So why is recursion necessary? If I have forwarders configured, wouldn't they either report the answer, or use recursion, or use forwarders themselves? It would seem that forwarders should achieve the same results as recursion. For that matter, what would happen if you enabled recursion but didn't list forwarders? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 10:10 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? Don't configure any zones but allow recursion. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able
