DNS: The list of root hints should contain more than one entry

  • Article

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Product/Feature

DNS

Severity

Warning

Category

Configuration

Issue

The root hint that has been configured for the DNS server is a single point of failure.

The use of a single root name server in root hints is does not provide redundancy.

Impact

Loss of the single root hint server will prevent the DNS server from being able to resolve external host names.

Recursion might fail or be delayed on this DNS server if the root name server does not respond.

Resolution

Add additional root hints to the list of root hint servers.

Configure the list of root hints to include at least two valid root name servers. You can use the verification procedure below to display a list of root name servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    nslookup –type=ns . <root name server>

  3. Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. On the Action menu, click Properties.

  4. Click the Root Hints tab.

  5. Modify server root hints as follows:

    • To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

    • To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

    • To remove a root server from the list, select it in the list, and then click Remove.

    • To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

Additional considerations

The following is the default list of root hints.

  • a.root-servers.net. 198.41.0.4

  • b.root-servers.net. 192.228.79.201

  • c.root-servers.net. 192.33.4.12

  • d.root-servers.net. 128.8.10.90

  • e.root-servers.net. 192.203.230.10

  • f.root-servers.net. 192.5.5.241

  • g.root-servers.net. 192.112.36.41

  • h.root-servers.net. 128.63.2.53

  • i.root-servers.net. 192.36.148.17

  • j.root-servers.net. 192.58.128.30

  • k.root-servers.net. 193.0.14.129

  • l.root-servers.net. 199.7.83.42

  • m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

See Also

Concepts

Updating Root Hints