We help IT Professionals succeed at work.

Root Hints - IPv6 vs IPv4 entries in DNS & warnings Best Practices Analyzer

btm02sf used Ask the Experts™
On a new Windows 2019 server, the root hints are configured with IP v.6 IP addresses. I validated against the known root hints available at IANA (https://www.iana.org/domains/root/servers) and they are all correct. Yet, when I run the Best Practices Analyzer I get multiple warnings related to these IPv6 root hints that they must respond NS queries for the root zone.  The server is a single domain controller and the DNS server for a new office that I am setting up. I have entered several public DNS servers in the Forwarder tab (e.g. Google DNS, OpenDNS, Level 3 DNS). The check box for "Use root hings if no forwarders are available" was checked and I left it checked.
When I initially setup the server, I ran then commands to change the priorities of IPv4 over IPv6. The office will use IPv4 (small office with 15 computers) but Ip v6 is enabled by default, and I see no reason to change it.

As I am not a DNS expert, I have a few questions on these root hints in the IPv6 format.
1. I know they exist in the C:\WINDOWS\system32\dns\cache.DNS in both formats, IPv4 and IPv6 - see attached cache.dns.txt file. Why are the IPv6 entries appearing the Root hints Tab in the DNS properties - see attached screenshots? Why aren't the IPv4 IP addresses appearing instead? Especially since I changed the priority from IPv6 to IPv4.

2. What is it required to eliminate the warnings shown by the Best Practices Analyzer? From reading multiple posts here I get it that they are benign, and don't hurt, especially since root hints are the last resort for DNS resolution if all forwarders fail. But, as I am setting up this new server, I would like to minimize the numbers of those benign errors that Microsoft throws our way with no explanation/fix under than "don't worry about that".

Any feedback would be very much appreciated. Thank you for your assistance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I suspect this is a bug if anything. Manually replace the IPv6 root hints with IPv4.
nociSoftware Engineer
Distinguished Expert 2018

I guess you have both IPv4 root hints AND IPv6 root hints.

2) You ask to validate the NS records in there that REQUIRES your system to ask those name servers for a name ... using IPv6.
so if you have no IPv6 alive those will not answer on any queries.  As long as you have no IPv6 this is a non-issue.
Pioritizing IPv4 over IPv4 would mean to ask for A records first.

Are you actually using recursive lookups, if you are forwarding queries to an upstream DNS provider then the root hints are immaterial.
Having configured forwarding for IPv4 and nothing for IPv6 may have caused the IPv4 entries to be removed and the IPv6 would need recusive lookups instead.
so they are still there.

Not sure how Windows systems manage those though.
Distinguished Expert 2017

You posted everything except the warnings you

Do you use forwarders? If not mistaken forwarders versus conditional forwarders  eliminate the need for root hints.
I.e. If you direct your system to forward all requests to a specific destination
All attempts to resolve non-local resources will be sent through to the forwarder.

Hints are the last resort for not finding an answer based on defined zones.
Principal Support Engineer
I've seen this happen as well (only IPv6 addresses in root hints). I don't know why it happens, but I've "fixed" it on multiple occasions by selecting each entry in the root hints list, clicking Edit, and clicking Resolve. This has always resolved the IPv4 addresses for me. You may also be able to use the Copy from Server button to resolve them, although that's given me mixed results in the past.

It's already been mentioned, but since you've got forwarders configured, this is really nothing more than a cosmetic issue. As long as at least one of your forwarders responds, DNS won't use the root hints at all.


Thank you to everyone who responded. Based on DrDave42's response, I went to the root hints and resolved individually each one of them, and all resolved to the IPv4 IP addresses - see attached screenshots. Rebooted the server, just to make sure that the root hints would remain in place, and they were there after reboot.


Thank you again to all who responded to my question.