Remove Root Hints in DNS server

Windows Server

Our new domain is behind a firewall and once we setup the DNS server we got a lot of DNS domain-udp requests to Root servers that could not be contacted because of our corporate firewall policy.

If you want to ensure that your DNS server does not use Root Hints, you should do the following:

Open DNS Server Manager | Expand DNS Server | Expand Forward Lookup Zones | Right Click on Forward Lookup Zones and select New Zone | Primary Zone | Zone Name: “.” (only dot, without quotation marks)

One action that I have done in the past to ensure that the DNS server does not use the “Root Hints” is to create a foward lookup zone called “.”

When you create such a zone, you are configuring the DNS server to be the ultimate authority for the DNS namespace. The DNS server will no longer attempt to forward any DNS requests that it is not authoritative for.

You can also remove Root Hints for a DNS Server but that is not recommended or supported by Microsoft.

Note that once you remove the last root hint while you have the .root zone created, you won’t be able to add any additional root hints.

You may also like...

1 Response

  1. Jesin says:

    Thanks for such a simple method.

    Earlier I was commenting out each and every root server line in the cache.dns file in order to disable root hints.

    Microsoft should have an option to disable root hints for authoritative only DNS servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − one =

This site uses Akismet to reduce spam. Learn how your comment data is processed.