btm02sf
asked on
Root Hints - IPv6 vs IPv4 entries in DNS & warnings Best Practices Analyzer
On a new Windows 2019 server, the root hints are configured with IP v.6 IP addresses. I validated against the known root hints available at IANA (https://www.iana.org/domains/root/servers) and they are all correct. Yet, when I run the Best Practices Analyzer I get multiple warnings related to these IPv6 root hints that they must respond NS queries for the root zone. The server is a single domain controller and the DNS server for a new office that I am setting up. I have entered several public DNS servers in the Forwarder tab (e.g. Google DNS, OpenDNS, Level 3 DNS). The check box for "Use root hings if no forwarders are available" was checked and I left it checked.
When I initially setup the server, I ran then commands to change the priorities of IPv4 over IPv6. The office will use IPv4 (small office with 15 computers) but Ip v6 is enabled by default, and I see no reason to change it.
As I am not a DNS expert, I have a few questions on these root hints in the IPv6 format.
1. I know they exist in the C:\WINDOWS\system32\dns\ca
2. What is it required to eliminate the warnings shown by the Best Practices Analyzer? From reading multiple posts here I get it that they are benign, and don't hurt, especially since root hints are the last resort for DNS resolution if all forwarders fail. But, as I am setting up this new server, I would like to minimize the numbers of those benign errors that Microsoft throws our way with no explanation/fix under than "don't worry about that".
Any feedback would be very much appreciated. Thank you for your assistance.
cache.dns.txt
Root_Hints_Servers_Win2019_Default_I.jpg
Root_Hints_Servers_Win2019_Default_I.jpg
When I initially setup the server, I ran then commands to change the priorities of IPv4 over IPv6. The office will use IPv4 (small office with 15 computers) but Ip v6 is enabled by default, and I see no reason to change it.
As I am not a DNS expert, I have a few questions on these root hints in the IPv6 format.
1. I know they exist in the C:\WINDOWS\system32\dns\ca
2. What is it required to eliminate the warnings shown by the Best Practices Analyzer? From reading multiple posts here I get it that they are benign, and don't hurt, especially since root hints are the last resort for DNS resolution if all forwarders fail. But, as I am setting up this new server, I would like to minimize the numbers of those benign errors that Microsoft throws our way with no explanation/fix under than "don't worry about that".
Any feedback would be very much appreciated. Thank you for your assistance.
cache.dns.txt
Root_Hints_Servers_Win2019_Default_I.jpg
Root_Hints_Servers_Win2019_Default_I.jpg
Aard Vark
I suspect this is a bug if anything. Manually replace the IPv6 root hints with IPv4.
I guess you have both IPv4 root hints AND IPv6 root hints.
2) You ask to validate the NS records in there that REQUIRES your system to ask those name servers for a name ... using IPv6.
so if you have no IPv6 alive those will not answer on any queries. As long as you have no IPv6 this is a non-issue.
Pioritizing IPv4 over IPv4 would mean to ask for A records first.
Are you actually using recursive lookups, if you are forwarding queries to an upstream DNS provider then the root hints are immaterial.
Having configured forwarding for IPv4 and nothing for IPv6 may have caused the IPv4 entries to be removed and the IPv6 would need recusive lookups instead.
so they are still there.
Not sure how Windows systems manage those though.
2) You ask to validate the NS records in there that REQUIRES your system to ask those name servers for a name ... using IPv6.
so if you have no IPv6 alive those will not answer on any queries. As long as you have no IPv6 this is a non-issue.
Pioritizing IPv4 over IPv4 would mean to ask for A records first.
Are you actually using recursive lookups, if you are forwarding queries to an upstream DNS provider then the root hints are immaterial.
Having configured forwarding for IPv4 and nothing for IPv6 may have caused the IPv4 entries to be removed and the IPv6 would need recusive lookups instead.
so they are still there.
Not sure how Windows systems manage those though.
You posted everything except the warnings you
Do you use forwarders? If not mistaken forwarders versus conditional forwarders eliminate the need for root hints.
I.e. If you direct your system to forward all requests to a specific destination
All attempts to resolve non-local resources will be sent through to the forwarder.
Hints are the last resort for not finding an answer based on defined zones.
Do you use forwarders? If not mistaken forwarders versus conditional forwarders eliminate the need for root hints.
I.e. If you direct your system to forward all requests to a specific destination
All attempts to resolve non-local resources will be sent through to the forwarder.
Hints are the last resort for not finding an answer based on defined zones.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you to everyone who responded. Based on DrDave42's response, I went to the root hints and resolved individually each one of them, and all resolved to the IPv4 IP addresses - see attached screenshots. Rebooted the server, just to make sure that the root hints would remain in place, and they were there after reboot.
Win2019_Root_Hints_Resolved_1.jpg
Win2019_Root_Hints_Resolved_2.jpg
Win2019_Root_Hints_Resolved_1.jpg
Win2019_Root_Hints_Resolved_2.jpg
ASKER
Thank you again to all who responded to my question.