On Fri, 23 Sep 2016, Lindsay Haisley wrote:
On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net
wrote:
consider that, to do the work described as "forwarding" in many of
these references, the nameserver must perform a recursive query [e.g.
it must perform a query with the rd bit
On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net
wrote:
> consider that, to do the work described as "forwarding" in many of
> these references, the nameserver must perform a recursive query [e.g.
> it must perform a query with the rd bit set].
"A forwarding DNS server offers the
On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
> > http://serverfault.com/questions/661821/what-s-the-difference-betwe
> en-recursion-and-forwarding-in-bind
>
> this is bad information. it's unfortunate it has a green check mark
> next to it. at least it only has a 6 though.
So why is this bad
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
> On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, ei
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
>
> >
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > >
> > > As much as I love BIND (no, seriously, I do) it's very hard to
> > > recommend
> > > it as the first choice for a sim
On 23 Sep 2016, at 16:18, Greg Troxel wrote:
> "Bill Cole" writes:
>
>> On 22 Sep 2016, at 23:24, John Hardin wrote:
>>
>>> As far as I understand it, dnsmasq cannot be used for local
>>> recursion; it's purely a lightweight local DNS cache layer.
>>
>> Your understanding is correct; dnsmasq is u
On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
As much as I love BIND (no, seriously, I do) it's very hard to
recommend
it as the first choice for a simple recursive resolver.
Setting up bind as a "simple recursive resolver" is simplicit
> On Sep 23, 2016, at 17.34, Lindsay Haisley wrote:
>
> On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
>> On 2016.09.23 16.16, Lindsay Haisley wrote:
>>>
>>> On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
Right, but the question here is why isn't a forwarding server also a
recursiv
On Fri, 23 Sep 2016, Greg Troxel wrote:
"Bill Cole" writes:
On 22 Sep 2016, at 23:24, John Hardin wrote:
As far as I understand it, dnsmasq cannot be used for local
recursion; it's purely a lightweight local DNS cache layer.
Your understanding is correct; dnsmasq is unfit for service as
On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
> On 2016.09.23 16.16, Lindsay Haisley wrote:
> >
> > On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
> > >
> > > Right, but the question here is why isn't a forwarding server also a
> > > recursive server? Why is the use of iteration the defining featur
On 2016.09.23 16.16, Lindsay Haisley wrote:
On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
Right, but the question here is why isn't a forwarding server also a
recursive server? Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.
http://serve
"Bill Cole" writes:
> On 22 Sep 2016, at 23:24, John Hardin wrote:
>
>> As far as I understand it, dnsmasq cannot be used for local
>> recursion; it's purely a lightweight local DNS cache layer.
>
> Your understanding is correct; dnsmasq is unfit for service as a
> resolver for a mail server bec
On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
> Right, but the question here is why isn't a forwarding server also a
> recursive server? Why is the use of iteration the defining feature of
> a recursive server and not the support for recursion.
http://serverfault.com/questions/661821/what-s-the-dif
Lindsay Haisley writes:
> Huh? So what's the problem with "recursion"? That's the name of the
> boolean configuration option in bind9. It's about as descriptive and
> clear a word as it can be.
>
> options {
> directory "/var/cache/bind";
> recursion yes;
> allow-query {
On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> As much as I love BIND (no, seriously, I do) it's very hard to recommend
> it as the first choice for a simple recursive resolver.
Setting up bind as a "simple recursive resolver" is simplicity itself.
acl goodclients {
1.2.3.0/24;
4.
On Fri, 2016-09-23 at 21:25 +0200, Axb wrote:
> On 09/23/2016 09:11 PM, RW wrote:
> >
> > Whatever the right and wrongs of this I think the term recursive is
> > best avoided in this list. "Non-forwarding" is a lot clearer IMO.
> Can we agree to:
> "servers running SA should use a local non forwar
On 22 Sep 2016, at 23:24, John Hardin wrote:
As far as I understand it, dnsmasq cannot be used for local recursion;
it's purely a lightweight local DNS cache layer.
Your understanding is correct; dnsmasq is unfit for service as a
resolver for a mail server because it cannot perform recursion,
On 09/23/2016 09:11 PM, RW wrote:
Whatever the right and wrongs of this I think the term recursive is
best avoided in this list. "Non-forwarding" is a lot clearer IMO.
Can we agree to:
"servers running SA should use a local non forwarding resolver".
That should rule out dnsmasq.
On Fri, 23 Sep 2016 14:12:30 -0400
Bill Cole wrote:
> I have never seen the word "iterative" used to describe DNS recursion
> or any other DNS resolution algorithm except in the context of a
> resolver having multiple servers that it can query at a particular
> step of the resolution process
It
Huh, why are people getting hung up on this?
The distinction is based on who the DNS server will consult to provide
a response to a question.
An authoritative server consults its local authoritative zone
database. It may or may not be willing to consult someone else for
questions not in its data
On Fri, 23 Sep 2016, RW wrote:
On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:
Recursive server does lookups iteratively.
Right, but the question here is why isn't a forwarding server also a
recursive server?
It may or may not be, see "forward first". I DNS server may do both.
W
Am 23.09.2016 um 20:30 schrieb John Hardin:
On Fri, 23 Sep 2016, li...@rhsoft.net wrote:
Am 23.09.2016 um 05:24 schrieb John Hardin:
On Thu, 22 Sep 2016, Thomas Barth wrote:
> Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> > > > URIBL_BLOCKED shows you are using still a dns-forwarder
On Fri, 23 Sep 2016, RW wrote:
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.
Focus on the "recursion" and "no forwarding" parts of that
recommendation.
I'v
On 2016.09.23 12.03, RW wrote:
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.
Focus on the "recursion" and "no forwarding" parts of that
recommendation.
I've
On 23 Sep 2016, at 13:43, RW wrote:
On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:
Recursive server does lookups iteratively.
Right, but the question here is why isn't a forwarding server also a
recursive server?
Because a forward-only DNS server does not resolve queries by way o
On Fri, 23 Sep 2016, li...@rhsoft.net wrote:
Am 23.09.2016 um 05:24 schrieb John Hardin:
On Thu, 22 Sep 2016, Thomas Barth wrote:
> Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> >
> > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't
> > get
> > results from a
Am 23.09.2016 um 19:57 schrieb RW:
On Fri, 23 Sep 2016 13:13:19 -0400
Sean Greenslade wrote:
On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:
I've been wondering whether recursive is actually the correct term.
As I understand it there are two types of DNS lookup:
1. Iterative - where
On 23 Sep 2016, at 12:03, RW wrote:
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.
Focus on the "recursion" and "no forwarding" parts of that
recommendation.
On Fri, 23 Sep 2016 13:13:19 -0400
Sean Greenslade wrote:
> On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:
> > I've been wondering whether recursive is actually the correct term.
> >
> > As I understand it there are two types of DNS lookup:
> >
> > 1. Iterative - where results are found b
On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:
> Recursive server does lookups iteratively.
Right, but the question here is why isn't a forwarding server also a
recursive server? Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.
On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:
> I've been wondering whether recursive is actually the correct term.
>
> As I understand it there are two types of DNS lookup:
>
> 1. Iterative - where results are found by working down through
> multiple servers from the root servers.
>
>
A forwarding name server simply forwards (proxies) the query to an upstream
recursive server.
On Sep 23, 2016, at 9:03 AM, RW
mailto:rwmailli...@googlemail.com>> wrote:
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
Lists shouldn't have said "caching", that confuses the issue. C
Am 23.09.2016 um 10:47 schrieb li...@rhsoft.net:
that was one single line containing:
* don't use dns forwarding
* don't use dnsmasq (because it can only do forarding)
DNS-Resolver with Bind9 is configured now and nameserver is 127.0.0.1.
No URIBL_BLOCKED=0.001 in Spam-Status anymore.
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
> Lists shouldn't have said "caching", that confuses the issue. Caching
> and recursion are two different, unrelated pieces.
>
> Focus on the "recursion" and "no forwarding" parts of that
> recommendation.
I've been wondering whether r
Am 23.09.2016 um 10:43 schrieb Thomas Barth:
Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net:
Am 22.09.2016 um 21:58 schrieb Bowie Bailey:
On 9/22/2016 3:40 PM, Thomas Barth wrote:
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
fix that - use a local caching resolver with *no forward
Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net:
Am 22.09.2016 um 21:58 schrieb Bowie Bailey:
On 9/22/2016 3:40 PM, Thomas Barth wrote:
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do
Am 22.09.2016 um 21:58 schrieb Bowie Bailey:
On 9/22/2016 3:40 PM, Thomas Barth wrote:
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver
for me that topic is
Am 23.09.2016 um 05:24 schrieb John Hardin:
On Thu, 22 Sep 2016, Thomas Barth wrote:
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
URIBL_BLOCKED shows you are using still a dns-forwarder and so won't
get
results from a lot of blacklists
fix that - use a local caching resolver with *no
39 matches
Mail list logo