Posted on 2014-08-19
Last Modified: 2014-08-24
Hello All,

Just wanted to clarify the position on a few things in DNS and wanted an experts opinion to the following:

Is it still best practice to utilise a forwarder as opposed to root hints within DNS?  I was always told that using root hints would increase network traffic on a lease line and possibly expose DNS - is this still correct?

Also on a DNS server - is it best practice to remove the 127.0.01 address and replace with the IP address of the DNS server - ie point the DNS to itself 1st and any partner second?

If someone could give more detail why the above is or is now not correct I would be most grateful.

Best regards

    LVL 33

    Assisted Solution

    Some people prefer to use Root Hints to ensure good resolution.  Some people prefer to use Forwarders because the turn around time may be lower.

    My personal recommendation is to use Forwarders on internal DNS servers and Root HInts on external DNS servers.  YMMV.

    Author Comment

    Hi Paul,

    Thank you for this - was reading through an old TechNet on DNS and found this:

    "Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

    Does this still stand true and what exactly will someone be able to see using the root hint method?  It is this I am trying to get my head around.  You see I was kind of told also that DNS should where possible forward to ISP first in order that any hidden functionality would become available and then perhaps Google?

    Is it a security risk?
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    follow the traffic.  with root hints -> com root server -> registrar -> returns ip address
    using a forwarder -> forwarder -> returns ip address
    LVL 38

    Assisted Solution

    With a proper internal DNS (i.e. forward and reverse zones for all your domains and subnets in use), then the security issue should be pretty much gone, as root hints or forwarders are only used when your internal DNS servers don't already have the info.  David's example shows how the traffic can be more with root hints, though maybe it'd be clearer if laid out like this.
    internal DNS tries to query
    DNS queries   -> com root server
                             -> registrar
                             -> returns ip address

    I discount the "hidden functionality" of ISP's DNS, as all I've ever seen in that regard is supposed search "helpers".
    LVL 77

    Accepted Solution

    I would really consider using Steve Gibson's DNS Benchmark because unless you test it you don't know.. ISP dns servers are notorious for being barely functional

    Author Closing Comment

    Thank you so much really helpful - hope the share of points will be ok with you all

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Case Summary: In this Article we introduce the new method to configure the default user profile using Automated profile copy with sysprep rather than the old ways such as the manual copy of a configured profile to default user profile Old meth…
    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now