Another way to look at it.
Recursion:
Off: DNS server can only answer queries from its local zone files. Queries
for any other records returns no results. Used when server is authoritative
for Public domains (declude.com, nasa.gov)
On: DNS server will try to answer all Queries. If it does not know the
answer it will call out to other DNS servers to get the answer.
( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2
recursive DNS servers for workstations to point to. )
Forwarders: Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query, the
DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a
query the DNS server will contact the Root servers and find the answer itself.
My experience with MS DNS is that forwarders are setup at installation because
the installer assumes a blank forwarder means the DNS server will be unable to
lookup addresses. Because DNS works with a forwarder the setting gets left on.
About the only time I recommend forwarders is if the site uses something like
OpenDNS for Content Filtering, in which case all queries should go tot he
OpenDNS servers.
-----Original Message-----
From: "Sanford Whiteman" <[email protected]>
Sent 3/15/2013 8:08:14 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] why have spam scores jumped?
> The challenge for me is in not using forwarding. For MS DNS > servers,
> forwarding and recursion are tied together; turn off one > and you lose both.
> Incorrect. Turning off recursion turns off forwarders, but not vice versa.
> You can have a perfectly operating recursive MS DNS server that does not
> delegate recursion to any other server (forwarding amounts to delegating
> recursion, but the server as a whole is still recursive, thus the
> unidirectional relationship between the two settings). You only MUST use
> forwarders if you are not allowed to pass DNS requests out past your ISP's
> border (similar to when you have to use the ISP's outbound SMTP gateway). >
> So if I turn off recursion and forwarding, then all my DNS requests > will
> have to go to the root servers for resolution. No, if you turn off recursion
> completely, you can't get responses for domains that aren't on your box. No
> one is going to do it for you -- the "root servers" sure won't. > I do
> understand the dangers of being an open resolver You're mixing up a lot of
> terms here. An open resolver is one that will perform recursive lookups for
> any address on the open internet. > but I am also under the impression that
> resolving only through root > servers is bad. It's not "bad," it doesn't
> exist. > Since MS seems to recommend forwarding I doubt that... > With a stub
> zone, queries to URIBL.com are resolved directly through > the URIBL Name
> servers... ... and there is no reason to go down this road. If you can get
> DNS requests past your ISP, there's no reason to have forwarders. -- S. ---
> This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
> send an E-mail to [email protected], and type "unsubscribe
> Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
