Hi Sandy,

OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating.

I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here.

There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think?

Thanks again,

Ben

----- Original Message ----- From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "IMail Admin" <Declude.JunkMail@declude.com>
Sent: Saturday, April 01, 2006 12:06 AM
Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores?


That's  when  the  JM  scores  got  so high. I'm testing a different
config now: allow recursion on the Forwarders tab, but disable it on
the  Advanced  tab.  I  won't  know  if  this works until I get some
messages. In the meanwhile, can anyone explain this to me?

You  _must_  allow recursion for the Declude server, or it will not be
able  to  resolve  zones for which it is not authoritative (i.e. every
domain you do not own).

You do not need to allow recursion for the wild Internet, however.

But  MS  DNS has a weakness (not a security weakness exactly, but more
of  a functional one) in that recursion is either on or off, globally,
for  the DNS service. This means that if you are hosting authoritative
zones  on  the  box,  and  thus  need to expose the box to the outside
world,  and  that  same  box  is  providing  recursive DNS to internal
servers  or users, then you are effectively providing recursive DNS to
the  outside  world as well (if someone should choose to abuse you for
this purpose).

The  way  around  this  is  to use SimpleDNS or BIND on the server you
expose  to  the  outside,  which both have means of limiting recursion
without  completely  disabling  it.  The simplest install, to my mind,
without a full migration off MS DNS (a full migration causing soluble,
but  unfun,  issues  in AD domains), is to run SimpleDNS and MS DNS on
the  same  box by binding each one to a different IP. Expose SimpleDNS
without recursion and make it a secondary for the authoritative zones.
Keep MS DNS as your primary and as your internal recursive DNS. Done.

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!

http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!

http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/

http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to