Ben, Here is my understanding of Forwarders & Recursion
If you have forwarders defined then any zone that your DNS is not authoritative for will look to the forwarders to resolve. If you have recursion on then your DNS server will call the root DNS servers and track down the authoritative DNS server for the request. I do not know what will take precedence if you have both defined and enabled. It has been said many times on this list that your ISP frowns on your DNS server using theirs for all the DNS checks that Declude does due to volume. Which goes back to John's point of having a DNS server on your Declude box that does recursive look ups and does not have forwarders defined. Hope it helps Goran Jovanovic Omega Network Solutions > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of IMail Admin > Sent: Saturday, April 01, 2006 1:23 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > scores? > > I see; so it becomes non-authoritative on everything. Do you know what > the > difference is between the two recursion settings in MS DNS? There is one > on > the forwarders tab and one on the advanced tab. > > This is getting a little off-topic, but I appreciate the help anyway and > the > list looks quiet today. So why is recursion necessary? If I have > forwarders configured, wouldn't they either report the answer, or use > recursion, or use forwarders themselves? It would seem that forwarders > should achieve the same results as recursion. For that matter, what would > happen if you enabled recursion but didn't list forwarders? > > Thanks, > > Ben > > ----- Original Message ----- > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Saturday, April 01, 2006 10:10 AM > Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM > scores? > > > Don't configure any zones but allow recursion. > > John T > eServices For You > > "Seek, and ye shall find!" > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of IMail Admin > > Sent: Saturday, April 01, 2006 9:45 AM > > To: Declude.JunkMail@declude.com > > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > scores? > > > > That's what I was thinking. How do you configure the cache-only? > > > > Thanks, > > > > Ben > > > > ----- Original Message ----- > > From: "John T (Lists)" <[EMAIL PROTECTED]> > > To: <Declude.JunkMail@declude.com> > > Sent: Saturday, April 01, 2006 1:59 AM > > Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM > > scores? > > > > > > What I do is install the MS DNS service on the Imail server, configure > it > > for cache only allowing recursion, and point Imail and Declude to that. > Make > > sure your firewall is configured to not allow the world to make DNS > queries > > against it and you are set. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > > [EMAIL PROTECTED] On Behalf Of IMail Admin > > > Sent: Saturday, April 01, 2006 12:20 AM > > > To: Declude.JunkMail@declude.com > > > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > > scores? > > > > > > Hi Sandy, > > > > > > OK, I've got recursion back on, so now I get email again. I hate to > think > > > how many complaints I'm going to have in the morning. Fortunately, > most > > of > > > our clients aren't as aggressive as I am in deleting spam based on > rating. > > > > > > I understand what you're saying, and I thank you for the explanation. > I'm > > > not real anxious to get into SimpleDNS (and I've read enough > complaints > > > about BIND to be cautious) first, because of cost, and, second, > because > > it's > > > one more complication. However, I was thinking about something else I > > read > > > here. > > > > > > There was some discussion about running a cache-only DNS server for > > > IMail/Declude. I didn't read most of the thread, and I never saw how > to > > > make the DNS serve cache only, but I was thinking that if I had a > > cache-only > > > server that is only available to the mail server, then I can leave on > > > recursion for it and it won't matter because it wouldn't be available > to > > the > > > public. The public DNS servers I can then turn off their recursion > > feature. > > > What do you think? > > > > > > Thanks again, > > > > > > Ben > > > > > > ----- Original Message ----- > > > From: "Sanford Whiteman" <[EMAIL PROTECTED]> > > > To: "IMail Admin" <Declude.JunkMail@declude.com> > > > Sent: Saturday, April 01, 2006 12:06 AM > > > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > > > scores? > > > > > > > > > >> That's when the JM scores got so high. I'm testing a > different > > > >> config now: allow recursion on the Forwarders tab, but disable it > on > > > >> the Advanced tab. I won't know if this works until I get > some > > > >> messages. In the meanwhile, can anyone explain this to me? > > > > > > > > You _must_ allow recursion for the Declude server, or it will not > be > > > > able to resolve zones for which it is not authoritative (i.e. > every > > > > domain you do not own). > > > > > > > > You do not need to allow recursion for the wild Internet, however. > > > > > > > > But MS DNS has a weakness (not a security weakness exactly, but > more > > > > of a functional one) in that recursion is either on or off, > globally, > > > > for the DNS service. This means that if you are hosting > authoritative > > > > zones on the box, and thus need to expose the box to the > outside > > > > world, and that same box is providing recursive DNS to > internal > > > > servers or users, then you are effectively providing recursive DNS > to > > > > the outside world as well (if someone should choose to abuse you > for > > > > this purpose). > > > > > > > > The way around this is to use SimpleDNS or BIND on the server > you > > > > expose to the outside, which both have means of limiting > recursion > > > > without completely disabling it. The simplest install, to my > mind, > > > > without a full migration off MS DNS (a full migration causing > soluble, > > > > but unfun, issues in AD domains), is to run SimpleDNS and MS DNS > on > > > > the same box by binding each one to a different IP. Expose > SimpleDNS > > > > without recursion and make it a secondary for the authoritative > zones. > > > > Keep MS DNS as your primary and as your internal recursive DNS. > Done. > > > > > > > > --Sandy > > > > > > > > > > > > ------------------------------------ > > > > Sanford Whiteman, Chief Technologist > > > > Broadleaf Systems, a division of > > > > Cypress Integrated Systems, Inc. > > > > e-mail: [EMAIL PROTECTED] > > > > > > > > SpamAssassin plugs into Declude! > > > > > > > > > > > http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea > se > > / > > > > > > > > Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into > IMail > > > > Aliases! > > > > > > > > > > > > > > http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl > oa > > d/rel > > > ease/ > > > > > > > > > > > > > > http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ > re > > lease/ > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
