I think the recommendation is to not allow recursion (the ability to resolve domains for which the DNS server is not authoritative) on your nameservers. Use a separate DNS server with no zones for internal lookups (like for IMail, etc.). That means you either need multiple servers, or need to use a DNS server other than what's built into Windows 2003.
If you disable recursion, and your DNS server is the only DNS server referenced in your machine's config for DNS resolution, then external domains will not resolve for that machine. Unfortunately Windows DNS will not selectively allow DNS recursion by requesting IP. I understand that other products will, though, like BIND for windows, and SimpleDNS. Yes, to the FreeBSD question. Point your machine's DNS to it for IMail, etc. so it can look up domains you're not authoritative for, and keep recursion off of your nameservers. Darin. ----- Original Message ----- From: "Marc Funaro" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Saturday, June 10, 2006 10:17 AM Subject: [IMail Forum] SOT: DNS Recursion Hi All, In striving to remove all red flags from our dns report, I have only one left: DNS recursion. The dnsreport site has this information on the subject: http://www.dnsreport.com/info/opendns.htm If I am running web or mail servers that require DNS lookups (like looking up a domain in order to deliver mail to them...?) and I disable recursion altogether on my Windows 2003 DNS servers, what exactly will happen? Will my non-recursive DNS server simply tell the machine requesting the lookup to go somewhere else to get the info, or will the lookup fail altogether? What is everyone else doing to remove this particular red flag from their report? Second, the link above has the following text: "If anyone is aware of a way to get Microsoft DNS to allow recursion only to specific IP ranges, please let us know -- lots of people would like to do that." Couldn't this be done with the firewall/packet filter on the DNS machine(s), as a workaround? What if I use our Windows 2003 DNS servers just for the zones for which they are authoritative, and disable recursion, and then use a separate FreeBSD server just for lookups that need to be resolved for non-authoritative lookups... Would this be a good way to go? Welcoming your thoughts, towards a clean DNS Report... Thanks everyone! Marc To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
