On 24 May 2016, at 15:58, David Jones wrote:
Dnsmasq is a very powerful DNS server
LOL. Its man page (see
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
the implied admission that it isn't even a "real" DNS server: which it
isn't. It's a bloatware DNS proxy. For many years its default
configuration made it an open resolver with no mitigation for DNS
amplification attacks and it is still being distributed that way by some
packagers.
BIND is a "very powerful" DNS server. It also sucks much less than it
used to but has such a rococo feature set that it probably shouldn't be
used by anyone who doesn't treat DNS as an artistic medium. Using it for
straightforward caching and autonomous recursive resolution is a
widespread practice in the same way that using full-size SUV's for
suburban commuting is a widespread practice.
Unbound is a very good recursive resolution and caching DNS server,
which is the functionality one actually needs on a modern mail server
(or on the same physical LAN) to keep DNS from being a bottleneck.
Because it is not an authoritative server, it lacks much of BIND's
"power" along with most of the features that have been involved in the
last dozen or so BIND vulnerabilities.
so I am sure it can be configured to do full recursive lookups
See the cited man page, which almost clearly says otherwise:
Dnsmasq is a DNS query forwarder: it it [sic] not capable of
recursively
answering arbitrary queries starting from the root servers
For its design target, Dnsmasq is an acceptable hack: a local DNS cache
for small routers serving typical home networks that also does DHCP. It
simply isn't fit for a mail server using modern anti-spam measures, not
just because it must forward to a real DNS server on the other side of a
WAN link and usually at least 2 routing hops which is probably
URIBL_BLOCKED anyway, but also because it is normally run on devices
that have very tight memory constraints, limiting its cache.
