Re: disable recursion when using forwarder?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Thank you for the great explanation Herb. Its appreciated.

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:OYKLy0fIGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
> "djc" <noone@xxxxxxxxxxx> wrote in message
> news:uyr3LibIGHA.2628@xxxxxxxxxxxxxxxxxxxxxxx
> > Currently my internal DNS server resolves internal names itself and I
have
> > forwarders configured for internet name resolution. My ISP's dns
servers.
> > If I disable recursion on the forwarders tab of windows 2000 sp4 DNS
> > server
> > will that A) force the forwarding server to handle all recursion for me?
> > and
> > thus B) increase performance?
>
> A) Yes, B) maybe, but let's describe what it will do precisely
>
> Disabling recursion (ONLY on the Forwarders tab for this
> scenario*) will stop the internal server from also processing
> the recursion directly.
>
> This is the ONLY (viable) choice if you firewall or corporate
> security policy forbids the internal server from "going outside".
>
> It will limit (to some small extent) the use of the WAN by the
> internal server, which is a duplication since the forwarder is
> already handling all of the recursive requests too (so some
> performance improvement maybe, and reduction of unnecessary
> traffic on the WAN).
>
> Once you have decided to use the ISP as a forwarder (and there
> can be a case made against doing this) then you might as well
> take full advantage of it (the ISP DNS) being able to do the
> lookups most efficiently.
>
> You however are dependent on the ISP in two ways: the
> security of their DNS server AND the reliability of that
> server.
>
> > any info would be greatly appreciated. Thanks.
>
> Generally if the ISP is reliable then disable the recursion.
>
> (Using the OTHER form of disabling recursion on the
> Advanced tab however disables EVEN "forwarding" so
> generally you use THAT on a public server that should
> resolve YOUR zone, but which you do not want other
> external users to abuse for recursive lookups.)
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> >
>
>


.

Relevant Pages

  • Re: Need help on delegation to subdomain/external servers
    ... The re-design of the DNS network architecture was one of the few internal projects where a credible "Concept of Operations" document was produced. ... There were detailed discussions and graphics explaining how local name servers would "fail over" to another regional name server and which regional name server would be used under certain failure conditions. ... The regional name servers had access to the Internet and were able to provide name and address resolution for both Intranet and Internet queries. ... The designers of the DNS architecture carefully configured the forwarders statement on each name server so that the name server for the region was listed first. ...
    (comp.protocols.dns.bind)
  • Re: DNS recursive test failed
    ... > I have dual DCs in my domain both running integrated DNS. ... Probably not since the name of "this" server isn't really used ... to do recursion nor forwarding. ... Why are you recursing if you use Forwarders? ...
    (microsoft.public.win2000.dns)
  • Re: event id 7063 -
    ... I dont want to use recursion for security reasons. ... The DNS server is configured to forward to a non-recursive DNS ... DNS servers in forwarders list MUST be configured to process ...
    (microsoft.public.windows.server.dns)
  • Re: disable recursion when using forwarder?
    ... > Currently my internal DNS server resolves internal names itself and I have ... > forwarders configured for internet name resolution. ... > If I disable recursion on the forwarders tab of windows 2000 sp4 DNS ...
    (microsoft.public.win2000.dns)
  • Re: Internet access
    ... domain' box on Server B as this will service DNS requests from client PCs. ... Configure the FORWARDERS tab in all DNS servers to your ISP, ... If "Do not use recursion for this domain" is enabled, ...
    (microsoft.public.windows.server.networking)