On 23 Sep 2016, at 16:18, Greg Troxel wrote: > "Bill Cole" <sausers-20150...@billmail.scconsult.com> writes: > >> On 22 Sep 2016, at 23:24, John Hardin wrote: >> >>> As far as I understand it, dnsmasq cannot be used for local >>> recursion; it's purely a lightweight local DNS cache layer. >> >> Your understanding is correct; dnsmasq is unfit for service as a >> resolver for a mail server because it cannot perform recursion, it >> only does forwarding to other real DNS servers. > > True, but I don't see harm in forwarding queries to a local recursive > server that is used only by one's own group of machines.
Sure, although 'local' is important for performance reasons. I've done similar things (with Solaris' nscd as a local cache as well as dnsmasq) to give MTA farms access to a unified cache on a shared recursive resolver, which can be a worthwhile tactic for performance. > The problems > all appear to be from forwarding queries to resolvers run by one's ISP > or worse the google public ones. For DNSBL volume blocking discussed here, that's always been the case as far as I've seen. However, as receiving systems scale up, a local recursive resolver on each MTA eventually doesn't save them from being blocked, it puts them at slightly more risk compared to using a shared local server providing a unified cache (as above.) Such a server also is the ideal place to host the local copies of the DNSBL zones one buys from their various providers (because that's the RIGHT thing to do when you REALLY have the volume to justify blockage...)
signature.asc
Description: OpenPGP digital signature
