Don't want to use Root Hints but DO want to use selective forwarding

Discussion in 'DNS Server' started by Alan Sandal, Oct 14, 2008.

    Someone MUST have seen this before.

    I have several domains hosted on my Windows 2003 infrastructure and several
    domains listed for conditional forwarding. Name resolution for the
    authoritative domains and those specifically forwarded are working just

    All Internet connectivity is via a proxy server in a DMZ and we have no
    requirement to allow workstations to resolve external DNS entries
    themselves - therefore there's no DNS connectivity from our internal DNS
    servers to the Internet.

    The problem comes when a machine queries for an address which isn't in
    either the hosted domains or in a domain for which a forwarder is specified
    e.g. The internal servers can't resolve this, they have
    no forwarder specified to which they can forward it.

    The of course try to contact a root hints server. Now this is the problem -
    the timeout for this is several seconds and causes all machines making
    invalid queries to stop and wait for a timeout. In an ideal world (or at
    least an ideal network) there would be no incorrect queries but I've got
    lots of them and can't tackle the problem 'properly' by resolving the
    underlying problem. What I'd like to do is minimise the problem by sending a
    DNS failure msg immediately. I know:

    1. If I add a root domain to my servers I get an immediate DNS failure
    (good) but forwarding is disabled and I have several conditional forwarders.

    2. If I disable recursion for the server I get an immediate DNS failure
    (good) but forwarding is disabled and I have several conditional forwarders.

    3. If I disable recursion for 'all other domains' the setting doesn't seem
    to have any effect on my servers' habit of querying root hints.

    4. If I remove all root hints from my cache files and AD I get an immediate
    DNS failure (good) but this isn't supported by Microsoft and I _need_ this
    to be squeaky clean.

    I've currently got just one root hint specified but this is a lousy solution
    as all it does is reduces the timeout to a few seconds rather than a
    hundredth of a second.

    Does anyone know how to stop root hints being queried when every other
    method of resolution has failed (bearing in mind 'Do Not Use Recursion for
    this domain' is already checked for 'All other domains' and doesn't have any


    Alan Sandal, Oct 14, 2008
    Unfortunately not an option for us as for misc security reasons we can't
    permit our workstations to directly query the DNS server we currently
    forward to but thanks for the suggestion.


    Alan Sandal, Oct 21, 2008
