none
Firewall keeps seeing root hint traffic even though root hints are disabled RRS feed

  • Question

  • I keep seeing my DNS servers attempting to send some traffic to root hint servers, even though I have forwarders setup, and have disabled the "use root hint if no forwarders are available". 

    What do I need to do to completely stop dns traffic from going to the root hint servers, and instead just send it to my forwarders?

    Tuesday, September 12, 2017 6:54 PM

All replies

  • Hi ctoronto

    You may try to remove the root hints in the DNS property and delete cache.DNS file.

    For your reference:

    Deleting cache.dns file

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ebbe39be-16dd-4d71-bcb4-351acf9a84fb/deleting-cachedns-file?forum=winserverNIS

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 13, 2017 6:10 AM
  • I have already removed, DNS from the properties, and will try modifying the cache.DNS.  I read on a different form that I should also remove the root hints from active directory.  Should this be done, and if so then how would I go about adding them back in if I needed them in the future?

    Thanks,

    ctoronto

    Monday, September 18, 2017 3:42 PM
  • Hi ctoronto,

    >> I read on a different form that I should also remove the root hints from active directory.  Should this be done

    Deleting cache.dns file

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ebbe39be-16dd-4d71-bcb4-351acf9a84fb/deleting-cachedns-file?forum=winserverNIS

    From my post link, you would see the following:

    please make sure you also delete root hints in AD if the DNS server is a member of the domain.

    For your reference:

    The root hints can be removed permanently and completely by removing the root hints from the DNS Manager, the CACHE.DNS file and from Active Directory. The root hints come back in this scenario is because the root hints still exist in the other two locations (CACHE.DNS file and Active Directory).

    Root hints reappear after they are removed

    https://support.microsoft.com/en-us/help/818020/root-hints-reappear-after-they-are-removed

    >>if so then how would I go about adding them back in if I needed them in the future?

    Generally, we don't recommend you to delete root hints from a DNS server Permanently.

    You might try the following steps to recover root servers list:
    1) Copy of root servers from another DNS server.

    2) Copy the cache.dns file from another server.

    3) Add the root servers manually.

    In addition, if the information provided was helpful, please "mark it as answer" to help other community members find the helpful reply quickly.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, September 19, 2017 9:30 AM
  • Hi ctoronto,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 26, 2017 6:11 AM
  • Sets I have already taken:

    I have setup a forwarder and ensured that that use of root hints was unchecked.

    I have modified the root hits such that it points to the same servers as my forwards.

    I made modified the dns.cache file to reflect the same my root hints (i.e only points to the same server as my forwarders). 

    All of these changes and I still see traffic hitting the firewall originating from my DNS servers.

    The last thing left to do is to modify active directory root settings, but I'm concerned because I'm not sure how to add the AD root hints once they are deleted.

    Friday, September 29, 2017 10:49 PM
  • Hi ctoronto,

    >>but I'm concerned because I'm not sure how to add the AD root hints once they are deleted.

    Sorry for the delayed response.

    You could re-add/copy from server in DNS properties if you need them in the future.

    If you want to add the AD root hints, you might need to restore them with PowerShell.

    For your reference:

    https://blogs.technet.microsoft.com/askds/2010/08/12/using-ad-recycle-bin-to-restore-deleted-dns-zones-and-their-contents-in-windows-server-2008-r2/

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, October 6, 2017 9:20 AM
  • Hi ,

    Did you have any updates?

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 13, 2017 9:46 AM