> > I assume that if I want to host email for 10 different domains I have
> > to have these set
> >
> > allow-recursion { any; };
>
> This allows anybody to use your nameserver as a resolver (e.g.
> anyone can ask you to lookup domains for them). You shouldn't
> do this at all without a very good reason (one example being if
> you're providing DNS to VPN clients and filtering non-VPN traffic).
> Doing so without other controls leaves you open to being an
> attack amplifier for anyone who can send a UDP packet with an
> invalid source address, and also may open you up to DNS poisoning.
>
> If you're currently using a setup that involves the same IP
> address for both authoritative (domains you host) and recursive
> queries (client DNS requests), you should get these split onto
> separate addresses.
>
so if I understand this, the correct way to setup DNS
is to have one nameserver do just recursive quires
and a separate name server on a separate ip address have the actual domain files
Sam Fourman Jr.
