A forwarding name server simply forwards (proxies) the query to an upstream recursive server.
On Sep 23, 2016, at 9:03 AM, RW <rwmailli...@googlemail.com<mailto:rwmailli...@googlemail.com>> wrote: On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation. I've been wondering whether recursive is actually the correct term. As I understand it there are two types of DNS lookup: 1. Iterative - where results are found by working down through multiple servers from the root servers. 2. Recursive - where a request is made to a single nameserver which handles the whole look-up on behalf of a client. What this turns on is whether a forwarding server is a distinct class of of nameserver or a type of recursive server. I think the latter is most logical, since both provide a recursive interface. Definitions of the term "recursive server" that I've seen contrast it only with "authoritative server". One thing is certain, what you want is a name server that does *iterative* lookups. A forwarding server is best used when a firewall does not allow direct access for DNS queries on the egress side (outbound). A forwarding server can be setup on the inside to point to a recessive server on the outside (or DMZ) and act as a proxy for internal hosts. A recursive server needs to be able to communicate unhindered to the world so it can follow the TLD chain down to the authoritative host responsible for a given subdomain. Recursive server does lookups iteratively. 1) get root hints from file and find "." (one of the many) (this dot is implied at the end of every domain i.e. www.example.com<http://www.example.com>. <-- we simply never really type the last dot) 2) ask root server where to look for COM 3) ask .COM where to look for EXAMPLE 4) Ask .EXAMPLE.COM<http://example.com> where to look for WWW A forwarding server simply forwards a (usually recursive) request to the next available upstream server, with some option to re-direct based on query (but that starts getting into multi views which is irrelevant here), and the recursive server simply sees the forwarding server as a client. It may be required based on firewall configuration (paranoid security specialist may not want to allow recursion from just any host on their network). In regards to the OP and RBL lookups, it makes no difference whether there is a forwarding DNS in between the client (the spam blocking MTA) and the/a recursive DNS server, but in order for the RBL to work it will have to somehow get to a recursive DNS that can find and query the RBL, and that can be "proxied" by a forwarding server. However what will NOT work is asking an authoritative DNS server. Authoritative DNS servers strictly provide information for a given sub domain, and *SHOULD* not allow recursion (lest you want to participate in DNS reflection/amplification DDoS attacks, since authoritative servers must respond to queries from the world - any ip address that may ask). A few simple drill/dig/nslookups would easily provide all the information necessary as to how the DNS pathway is setup. Here is what a drill -T for www.example.com<http://www.example.com> looks like... notice the iterative recursion from com. all the way down to the host: drill -T www.example.com<http://www.example.com> com. 172800 IN NS a.gtld-servers.net<http://a.gtld-servers.net>. com. 172800 IN NS g.gtld-servers.net<http://g.gtld-servers.net>. com. 172800 IN NS f.gtld-servers.net<http://f.gtld-servers.net>. com. 172800 IN NS e.gtld-servers.net<http://e.gtld-servers.net>. com. 172800 IN NS d.gtld-servers.net<http://d.gtld-servers.net>. com. 172800 IN NS m.gtld-servers.net<http://m.gtld-servers.net>. com. 172800 IN NS b.gtld-servers.net<http://b.gtld-servers.net>. com. 172800 IN NS l.gtld-servers.net<http://l.gtld-servers.net>. com. 172800 IN NS j.gtld-servers.net<http://j.gtld-servers.net>. com. 172800 IN NS h.gtld-servers.net<http://h.gtld-servers.net>. com. 172800 IN NS k.gtld-servers.net<http://k.gtld-servers.net>. com. 172800 IN NS i.gtld-servers.net<http://i.gtld-servers.net>. com. 172800 IN NS c.gtld-servers.net<http://c.gtld-servers.net>. example.com<http://example.com>. 172800 IN NS a.iana-servers.net<http://a.iana-servers.net>. example.com<http://example.com>. 172800 IN NS b.iana-servers.net<http://b.iana-servers.net>. www.example.com<http://www.example.com>. 86400 IN A 93.184.216.34 example.com<http://example.com>. 86400 IN NS a.iana-servers.net<http://a.iana-servers.net>. example.com<http://example.com>. 86400 IN NS b.iana-servers.net<http://b.iana-servers.net>. And here is the same query using dig on my SPAM firewall for a known IP listed on zen.spamhause.org<http://zen.spamhause.org> again notice the recursion starting at root (.) . dig 137.140.166.46.zen.spamhaus.org<http://zen.spamhaus.org> +trace ; <<>> DiG 9.10.3-P4-RedHat-9.10.3-9.P4.fc22 <<>> 137.140.166.46.zen.spamhaus.org<http://zen.spamhaus.org> +trace ;; global options: +cmd . 3600000 IN NS A.ROOT-SERVERS.NET<http://a.root-servers.net>. . 3600000 IN NS L.ROOT-SERVERS.NET<http://l.root-servers.net>. . 3600000 IN NS M.ROOT-SERVERS.NET<http://m.root-servers.net>. . 3600000 IN NS K.ROOT-SERVERS.NET<http://k.root-servers.net>. . 3600000 IN NS E.ROOT-SERVERS.NET<http://e.root-servers.net>. . 3600000 IN NS B.ROOT-SERVERS.NET<http://b.root-servers.net>. . 3600000 IN NS J.ROOT-SERVERS.NET<http://j.root-servers.net>. . 3600000 IN NS C.ROOT-SERVERS.NET<http://c.root-servers.net>. . 3600000 IN NS I.ROOT-SERVERS.NET<http://i.root-servers.net>. . 3600000 IN NS G.ROOT-SERVERS.NET<http://g.root-servers.net>. . 3600000 IN NS F.ROOT-SERVERS.NET<http://f.root-servers.net>. . 3600000 IN NS D.ROOT-SERVERS.NET<http://d.root-servers.net>. . 3600000 IN NS H.ROOT-SERVERS.NET<http://h.root-servers.net>. ;; Received 755 bytes from 12.238.189.39#53(12.238.189.39) in 0 ms org. 172800 IN NS a2.org.afilias-nst.info<http://a2.org.afilias-nst.info>. org. 172800 IN NS c0.org.afilias-nst.info<http://c0.org.afilias-nst.info>. org. 172800 IN NS b2.org.afilias-nst.org<http://b2.org.afilias-nst.org>. org. 172800 IN NS b0.org.afilias-nst.org<http://b0.org.afilias-nst.org>. org. 172800 IN NS a0.org.afilias-nst.info<http://a0.org.afilias-nst.info>. org. 172800 IN NS d0.org.afilias-nst.org<http://d0.org.afilias-nst.org>. org. 86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5 org. 86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982 org. 86400 IN RRSIG DS 8 1 86400 20161006050000 20160923040000 46551 . RzDTYEgRWt1dlH6MIF0MMlofnZIVFh5Rd3Y/jfAOQ3yVGcrsKYyB8P+7 KDht4RG1dbDvM3bJwm7qetUzJn12o7Nf5viVB6AHHZbo/8w90/USsop+ 33QD55SLzxWJe9RJMKZjAsdmiHscBJp9RqIEsc7AiQI03i7KU4CpPa+y alM= ;; Received 705 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET<http://f.root-servers.net>) in 57 ms spamhaus.org<http://spamhaus.org>. 86400 IN NS ns-1370.awsdns-43.org<http://ns-1370.awsdns-43.org>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns-971.awsdns-57.net<http://ns-971.awsdns-57.net>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns-85.awsdns-10.com<http://ns-85.awsdns-10.com>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns20.ja.net<http://ns20.ja.net>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns-1743.awsdns-25.co.uk<http://ns-1743.awsdns-25.co.uk>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns4.spamhaus.org<http://ns4.spamhaus.org>. spamhaus.org<http://spamhaus.org>. 86400 IN NS ns3.spamhaus.org<http://ns3.spamhaus.org>. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org<http://h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org>. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org<http://h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org>. 86400 IN RRSIG NSEC3 7 2 86400 20161014165539 20160923155539 48497 org. R+OoRP6wR/FzQtGjrAcH2WubT8qnCagfB8OlReA+T9rKfqaDgRGg9b5f IDpRPVfPOU5jc97Hx/kMlb8S/JICjMTj13+BaUK7LQXejwwaeL6wJACb iawfIeEx9o0TsDzMuE4IgwUFMT6SNP8YiVsRyA6BPmeCjaLkQNN/D+LQ B3E= 8u8ohvmvqkm4a955sbgfvd4jo6dp2p2f.org<http://8u8ohvmvqkm4a955sbgfvd4jo6dp2p2f.org>. 86400 IN NSEC3 1 1 1 D399EAAB 8U9SBITJER6VK49M4572H37KF4MP2905 NS DS RRSIG 8u8ohvmvqkm4a955sbgfvd4jo6dp2p2f.org<http://8u8ohvmvqkm4a955sbgfvd4jo6dp2p2f.org>. 86400 IN RRSIG NSEC3 7 2 86400 20161011091354 20160920081354 48497 org. RPL7CPf7pOr3bd5u2qbftI9kVkpnNlUa482WAIGg5uq5sLC2Nw2k0Uek ilihEJhlt0WAIH+8CUlZifGkd78/i5fNcJ/S9mOBNPMWVadGZYEzwR6Y H6VW9mkg64eEsMwjHn73wxy+jh0iRXLBRCzMdOnFxDXETonNPkezg0P5 IsM= ;; Received 851 bytes from 199.19.56.1#53(a0.org.afilias-nst.info<http://a0.org.afilias-nst.info>) in 123 ms zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 0.ns.spamhaus.org<http://0.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 2.ns.spamhaus.org<http://2.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 3.ns.spamhaus.org<http://3.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 4.ns.spamhaus.org<http://4.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 5.ns.spamhaus.org<http://5.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 7.ns.spamhaus.org<http://7.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS 8.ns.spamhaus.org<http://8.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS b.ns.spamhaus.org<http://b.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS c.ns.spamhaus.org<http://c.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS d.ns.spamhaus.org<http://d.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS f.ns.spamhaus.org<http://f.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS g.ns.spamhaus.org<http://g.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS h.ns.spamhaus.org<http://h.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS i.ns.spamhaus.org<http://i.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS k.ns.spamhaus.org<http://k.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS o.ns.spamhaus.org<http://o.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS q.ns.spamhaus.org<http://q.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS t.ns.spamhaus.org<http://t.ns.spamhaus.org>. zen.spamhaus.org<http://zen.spamhaus.org>. 3600 IN NS x.ns.spamhaus.org<http://x.ns.spamhaus.org>. ;; Received 2207 bytes from 205.251.197.90#53(ns-1370.awsdns-43.org<http://ns-1370.awsdns-43.org>) in 3 ms 137.140.166.46.zen.spamhaus.org<http://zen.spamhaus.org>. 60 IN A 127.0.0.3 ;; Received 65 bytes from 129.143.4.184#53(d.ns.spamhaus.org<http://d.ns.spamhaus.org>) in 168 ms
