DNS Root Hints or Forwarders?

The problem

I recently encountered an issue after updating my DCs/DNS servers. After Windows Updates and a VMware Tools upgrade I couldn’t reach anything outside of my network. Every error indicated that the destination IP could not be resolved.

Clearly this was a DNS issue (it’s always DNS), and I resolved myself to fixing my DNS issues once and for all (I would have issues like this intermittently throughout the year).

I use to use forwarders for my DNS servers. Namely 8.8.8.8 and 8.8.4.4 but decided that I should follow best DNS practices and start using Root Hints.

Root Hints vs. Forwarders

Root Hints use iterative queries. When my DNS server is unable to resolve a DNS query it shoots that query to one of the root DNS servers available on the internet. The Root Server with then give me a referral to the servers that are authoritative for the TLD that I am querying. My DNS server then queries one of those servers in the referral which, in turn, give me another referral. This time, however, it refers me to the authoritative server for the SLD that I initially queried. Now, this process will continue until my DNS server reaches a server that is authoritative for the FQDN contained within the initial query.

Forwarders use recursive queries. When my DNS server is unable to resolve a query, it sends a recursive query to one of the servers in my forwarders list (In my case it’s usually 8.8.8.8 or 8.8.4.4). The forwarder then does the hard work of tracking down the record from my initial query. During that process my DNS server waits for the forwarder to finish its job (whether successful or unsuccesful) and then sends that to the client who made the query to begin with.

The referral process that takes place during an iterative query may also occur when the forwarder looks for the record.

Changing from Forwarders to Root Hints

Changing your forwarders to root hints (or even just changing your forwarders) is very simple.

Root Hints for my DNS server. These are the standard root hint servers.

This article assumes you’re leveraging Windows Server (I am using 2016, but the process is the same for 2012r2) for your DNS server.

  • Open DNS Manager and right click on your DNS server.
  • Select Properties (second option from the bottom)
  • Click on the Forwarders tab. Update these if you want, or click Edit and delete them if you wish to use Root Hints.
  • Ensure Use root hints if no forwarders are available is checked off
  • Click the Root Hints tab and make sure a.root-servers.net. through m.root-servers.net. are present. If they are not then click on the Copy from Server button. I use 198.41.0.4 as the IP, and then click OK.
  • Click OK
  • Fin.
Forwarders (Make sure there are none, and that the Use root hints if no forwarders are available is checked off).

If your Root Hints get corrupted, you may have to copy them from a server again. I noticed this before, and copying them again fixed my issue.

Leave a Reply

Your email address will not be published. Required fields are marked *