Hello All,

Just wanted to clarify the position on a few things in DNS and wanted an experts opinion to the following:

Is it still best practice to utilise a forwarder as opposed to root hints within DNS?  I was always told that using root hints would increase network traffic on a lease line and possibly expose DNS - is this still correct?

Also on a DNS server - is it best practice to remove the 127.0.01 address and replace with the IP address of the DNS server - ie point the DNS to itself 1st and any partner second?

If someone could give more detail why the above is or is now not correct I would be most grateful.

Best regards

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
Some people prefer to use Root Hints to ensure good resolution.  Some people prefer to use Forwarders because the turn around time may be lower.

My personal recommendation is to use Forwarders on internal DNS servers and Root HInts on external DNS servers.  YMMV.
BYRONJACKSONAuthor Commented:
Hi Paul,

Thank you for this - was reading through an old TechNet on DNS and found this:

"Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

Does this still stand true and what exactly will someone be able to see using the root hint method?  It is this I am trying to get my head around.  You see I was kind of told also that DNS should where possible forward to ISP first in order that any hidden functionality would become available and then perhaps Google?

Is it a security risk?
David Johnson, CD, MVPOwnerCommented:
follow the traffic.  with root hints -> com root server -> registrar -> returns ip address
using a forwarder -> forwarder -> returns ip address
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

With a proper internal DNS (i.e. forward and reverse zones for all your domains and subnets in use), then the security issue should be pretty much gone, as root hints or forwarders are only used when your internal DNS servers don't already have the info.  David's example shows how the traffic can be more with root hints, though maybe it'd be clearer if laid out like this.
internal DNS tries to query
DNS queries   -> com root server
                         -> registrar
                         -> returns ip address

I discount the "hidden functionality" of ISP's DNS, as all I've ever seen in that regard is supposed search "helpers".
David Johnson, CD, MVPOwnerCommented:
I would really consider using Steve Gibson's DNS Benchmark because unless you test it you don't know.. ISP dns servers are notorious for being barely functional

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BYRONJACKSONAuthor Commented:
Thank you so much really helpful - hope the share of points will be ok with you all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.