Do not use recursion on this domain oz.ozugurlu 11/7/2008 5:10:01 PM I would like to know what you guys are thinking about the option below in DNS “Do not use recursion on this domain” on the DNS setting. The option is there for Don’t let your internal servers roam the Internet looking for name servers.( Bill Boswell), by the way Bill Boswell has always been one of the best in my eyes for Exchange and active directory I do enjoy his books a lot. http://redmondmag.com/features/article.asp?EditorialsID=413 So the point I am trying to make is, If ISP DNS servers fail, or wherever we are forwarding for internet name resolution, we do bigger issues to worry about. If this happens it seems to be still better option to do recursive lookup to the root server for internet name resolution even it will be many hops and slow response, rather than giving no answer any toughts? -- Oz Ozugurlu MVP (Exchange) MCITP (EMA), MCITP (EA),MCITP (SA) MCSE 2003, M+, S+, MCDST Security+, Project +, Server + oz[ at ]SMTp25.org http://smtp25.blogspot.com (Blog)

RE: Do not use recursion on this domain James Yeomans BSc, MCSE 11/11/2008 9:48:09 PM Isn't it just a good way of blocking resolution on domains that you dont want users to access? Not exactly an all round filtering solution but has small scale benefits. -- James Yeomans, BSc, MCSE Ask me directly at: http://www.justaskjames.co.uk "oz.ozugurlu" wrote: [Quoted Text] > I would like to know what you guys are thinking about the option below in DNS > “Do not use recursion on this domain” on the DNS setting. > > The option is there for > > Don’t let your internal servers roam the Internet looking for name servers.( > Bill Boswell), by the way Bill Boswell has always been one of the best in my > eyes for Exchange and active directory I do enjoy his books a lot. > http://redmondmag.com/features/article.asp?EditorialsID=413 > > So the point I am trying to make is, > > If ISP DNS servers fail, or wherever we are forwarding for internet name > resolution, we do bigger issues to worry about. > > If this happens it seems to be still better option to do recursive lookup to > the root server for internet name resolution even it will be many hops and > slow response, rather than giving no answer > > any toughts? > -- > Oz Ozugurlu > MVP (Exchange) > MCITP (EMA), MCITP (EA),MCITP (SA) > MCSE 2003, M+, S+, MCDST > Security+, Project +, Server + > > > oz[ at ]SMTp25.org > http://smtp25.blogspot.com (Blog)

RE: Do not use recursion on this domain oz.ozugurlu 11/11/2008 10:35:00 PM James, my point is to continue to have the name resolution in case if the forwarders are not answering the recursive queries for a particular domain, knowing the root hint servers will be there even it will be slow but still internet name resolution is going to be working for the internal clients, So **not** selecting the option “do not use recursion for this domain” seems to be better way for going forward providing DNS name resolution. I just cannot see the bad part of doing this, hence I was wondering if someone out there can shade a light on this. At the end of the day everyone cares about not getting **Page can not be displayed** when they type www.google.com into their web browsers in my opinion as well as having access to all domain related resources. I really would think content filtering software would be best way to fight/ deal with blocking access type of situations, something like websense. -- Oz Ozugurlu MVP (Exchange) MCITP (EMA), MCITP (EA),MCITP (SA) MCSE 2003, M+, S+, MCDST Security+, Project +, Server + oz[ at ]SMTp25.org http://smtp25.blogspot.com (Blog) "James Yeomans BSc, MCSE" wrote: [Quoted Text] > Isn't it just a good way of blocking resolution on domains that you dont want > users to access? Not exactly an all round filtering solution but has small > scale benefits. > -- > James Yeomans, BSc, MCSE > Ask me directly at: http://www.justaskjames.co.uk > > > "oz.ozugurlu" wrote: > > > I would like to know what you guys are thinking about the option below in DNS > > “Do not use recursion on this domain” on the DNS setting. > > > > The option is there for > > > > Don’t let your internal servers roam the Internet looking for name servers.( > > Bill Boswell), by the way Bill Boswell has always been one of the best in my > > eyes for Exchange and active directory I do enjoy his books a lot. > > http://redmondmag.com/features/article.asp?EditorialsID=413 > > > > So the point I am trying to make is, > > > > If ISP DNS servers fail, or wherever we are forwarding for internet name > > resolution, we do bigger issues to worry about. > > > > If this happens it seems to be still better option to do recursive lookup to > > the root server for internet name resolution even it will be many hops and > > slow response, rather than giving no answer > > > > any toughts? > > -- > > Oz Ozugurlu > > MVP (Exchange) > > MCITP (EMA), MCITP (EA),MCITP (SA) > > MCSE 2003, M+, S+, MCDST > > Security+, Project +, Server + > > > > > > oz[ at ]SMTp25.org > > http://smtp25.blogspot.com (Blog)

RE: Do not use recursion on this domain James Yeomans BSc, MCSE 11/12/2008 8:15:01 AM I agree with you i don't see the point in using it. The only thing i can think of is to block specific websites but yes web filtering software would be a much better idea for that. Would be interested to hear the reason behind it. James. -- James Yeomans, BSc, MCSE Ask me directly at: http://www.justaskjames.co.uk "oz.ozugurlu" wrote: [Quoted Text] > > James, my point is to continue to have the name resolution in case if the > forwarders are not answering the recursive queries for a particular domain, > knowing the root hint servers will be there even it will be slow but still > internet name resolution is going to be working for the internal clients, > So **not** selecting the option > “do not use recursion for this domain” > seems to be better way for going forward providing DNS name resolution. I > just cannot see the bad part of doing this, hence I was wondering if someone > out there can shade a light on this. > > At the end of the day everyone cares about not getting **Page can not be > displayed** when they type www.google.com into their web browsers in my > opinion as well as having access to all domain related resources. > > > I really would think content filtering software would be best way to fight/ > deal with blocking access type of situations, something like websense. > -- > Oz Ozugurlu > MVP (Exchange) > MCITP (EMA), MCITP (EA),MCITP (SA) > MCSE 2003, M+, S+, MCDST > Security+, Project +, Server + > > > oz[ at ]SMTp25.org > http://smtp25.blogspot.com (Blog) > > > "James Yeomans BSc, MCSE" wrote: > > > Isn't it just a good way of blocking resolution on domains that you dont want > > users to access? Not exactly an all round filtering solution but has small > > scale benefits. > > -- > > James Yeomans, BSc, MCSE > > Ask me directly at: http://www.justaskjames.co.uk > > > > > > "oz.ozugurlu" wrote: > > > > > I would like to know what you guys are thinking about the option below in DNS > > > “Do not use recursion on this domain” on the DNS setting. > > > > > > The option is there for > > > > > > Don’t let your internal servers roam the Internet looking for name servers.( > > > Bill Boswell), by the way Bill Boswell has always been one of the best in my > > > eyes for Exchange and active directory I do enjoy his books a lot. > > > http://redmondmag.com/features/article.asp?EditorialsID=413 > > > > > > So the point I am trying to make is, > > > > > > If ISP DNS servers fail, or wherever we are forwarding for internet name > > > resolution, we do bigger issues to worry about. > > > > > > If this happens it seems to be still better option to do recursive lookup to > > > the root server for internet name resolution even it will be many hops and > > > slow response, rather than giving no answer > > > > > > any toughts? > > > -- > > > Oz Ozugurlu > > > MVP (Exchange) > > > MCITP (EMA), MCITP (EA),MCITP (SA) > > > MCSE 2003, M+, S+, MCDST > > > Security+, Project +, Server + > > > > > > > > > oz[ at ]SMTp25.org > > > http://smtp25.blogspot.com (Blog)