Site icon WinCert

Remove Root Hints in DNS server

Our new domain is behind a firewall and once we setup the DNS server we got a lot of DNS domain-udp requests to Root servers that could not be contacted because of our corporate firewall policy.

If you want to ensure that your DNS server does not use Root Hints, you should do the following:

Open DNS Server Manager | Expand DNS Server | Expand Forward Lookup Zones | Right Click on Forward Lookup Zones and select New Zone | Primary Zone | Zone Name: “.” (only dot, without quotation marks)

One action that I have done in the past to ensure that the DNS server does not use the “Root Hints” is to create a foward lookup zone called “.”

When you create such a zone, you are configuring the DNS server to be the ultimate authority for the DNS namespace. The DNS server will no longer attempt to forward any DNS requests that it is not authoritative for.

You can also remove Root Hints for a DNS Server but that is not recommended or supported by Microsoft.

Note that once you remove the last root hint while you have the .root zone created, you won’t be able to add any additional root hints.

Exit mobile version