disable recursion when using forwarder?

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

Currently my internal DNS server resolves internal names itself and I have
forwarders configured for internet name resolution. My ISP's dns servers.
If I disable recursion on the forwarders tab of windows 2000 sp4 DNS server
will that A) force the forwarding server to handle all recursion for me? and
thus B) increase performance?

any info would be greatly appreciated. Thanks.
 
djc said:
Currently my internal DNS server resolves internal names itself and I have
forwarders configured for internet name resolution. My ISP's dns servers.
If I disable recursion on the forwarders tab of windows 2000 sp4 DNS
server
will that A) force the forwarding server to handle all recursion for me?
and
thus B) increase performance?

A) Yes, B) maybe, but let's describe what it will do precisely

Disabling recursion (ONLY on the Forwarders tab for this
scenario*) will stop the internal server from also processing
the recursion directly.

This is the ONLY (viable) choice if you firewall or corporate
security policy forbids the internal server from "going outside".

It will limit (to some small extent) the use of the WAN by the
internal server, which is a duplication since the forwarder is
already handling all of the recursive requests too (so some
performance improvement maybe, and reduction of unnecessary
traffic on the WAN).

Once you have decided to use the ISP as a forwarder (and there
can be a case made against doing this) then you might as well
take full advantage of it (the ISP DNS) being able to do the
lookups most efficiently.

You however are dependent on the ISP in two ways: the
security of their DNS server AND the reliability of that
server.
any info would be greatly appreciated. Thanks.

Generally if the ISP is reliable then disable the recursion.

(Using the OTHER form of disabling recursion on the
Advanced tab however disables EVEN "forwarding" so
generally you use THAT on a public server that should
resolve YOUR zone, but which you do not want other
external users to abuse for recursive lookups.)
 
Thank you for the great explanation Herb. Its appreciated.

Herb Martin said:
djc said:
Currently my internal DNS server resolves internal names itself and I have
forwarders configured for internet name resolution. My ISP's dns servers.
If I disable recursion on the forwarders tab of windows 2000 sp4 DNS
server
will that A) force the forwarding server to handle all recursion for me?
and
thus B) increase performance?

A) Yes, B) maybe, but let's describe what it will do precisely

Disabling recursion (ONLY on the Forwarders tab for this
scenario*) will stop the internal server from also processing
the recursion directly.

This is the ONLY (viable) choice if you firewall or corporate
security policy forbids the internal server from "going outside".

It will limit (to some small extent) the use of the WAN by the
internal server, which is a duplication since the forwarder is
already handling all of the recursive requests too (so some
performance improvement maybe, and reduction of unnecessary
traffic on the WAN).

Once you have decided to use the ISP as a forwarder (and there
can be a case made against doing this) then you might as well
take full advantage of it (the ISP DNS) being able to do the
lookups most efficiently.

You however are dependent on the ISP in two ways: the
security of their DNS server AND the reliability of that
server.
any info would be greatly appreciated. Thanks.

Generally if the ISP is reliable then disable the recursion.

(Using the OTHER form of disabling recursion on the
Advanced tab however disables EVEN "forwarding" so
generally you use THAT on a public server that should
resolve YOUR zone, but which you do not want other
external users to abuse for recursive lookups.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Back
Top