• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 647
  • Last Modified:


Hello All,

Just wanted to clarify the position on a few things in DNS and wanted an experts opinion to the following:

Is it still best practice to utilise a forwarder as opposed to root hints within DNS?  I was always told that using root hints would increase network traffic on a lease line and possibly expose DNS - is this still correct?

Also on a DNS server - is it best practice to remove the 127.0.01 address and replace with the IP address of the DNS server - ie point the DNS to itself 1st and any partner second?

If someone could give more detail why the above is or is now not correct I would be most grateful.

Best regards

4 Solutions
Paul MacDonaldDirector, Information SystemsCommented:
Some people prefer to use Root Hints to ensure good resolution.  Some people prefer to use Forwarders because the turn around time may be lower.

My personal recommendation is to use Forwarders on internal DNS servers and Root HInts on external DNS servers.  YMMV.
BYRONJACKSONAuthor Commented:
Hi Paul,

Thank you for this - was reading through an old TechNet on DNS and found this:

"Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

Does this still stand true and what exactly will someone be able to see using the root hint method?  It is this I am trying to get my head around.  You see I was kind of told also that DNS should where possible forward to ISP first in order that any hidden functionality would become available and then perhaps Google?

Is it a security risk?
David Johnson, CD, MVPOwnerCommented:
follow the traffic.  with root hints
example.com -> com root server -> example.com registrar -> example.com returns ip address
using a forwarder
example.com -> forwarder -> returns example.com ip address
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

With a proper internal DNS (i.e. forward and reverse zones for all your domains and subnets in use), then the security issue should be pretty much gone, as root hints or forwarders are only used when your internal DNS servers don't already have the info.  David's example shows how the traffic can be more with root hints, though maybe it'd be clearer if laid out like this.
internal DNS tries to query example.com
DNS queries   -> com root server
                         -> example.com registrar
                         -> example.com returns ip address

I discount the "hidden functionality" of ISP's DNS, as all I've ever seen in that regard is supposed search "helpers".
David Johnson, CD, MVPOwnerCommented:
I would really consider using Steve Gibson's DNS Benchmark because unless you test it you don't know.. ISP dns servers are notorious for being barely functional
BYRONJACKSONAuthor Commented:
Thank you so much really helpful - hope the share of points will be ok with you all

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now