DNS: The DNS server must have root hints or forwarders configured

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Product/Feature

DNS

Severity

Warning

Category

Configuration

Issue

If recursion is enabled then either root hints or forwarders must be configured.

If the Use root hints if no forwarders are available checkbox is cleared, then forwarders must be configured to resolve DNS queries for external zones. If the Use root hints if no forwarders are available checkbox is enabled, then root hints must be configured to permit recursion when forwarders are not responding.

Impact

The DNS server will fail to resolve DNS queries for DNS zones for which it is not authoritative.

Recursion is not possible on this DNS server with the current configuration.

Important

Due to a code defect in Windows Server® 2008, the checkbox next to Use root hints if no forwarders are available actually configures the opposite behavior. The code defect is fixed if the DNS server is running Windows Server® 2008 R2. In Windows Server 2008, you must clear the checkbox next to Use root hints if no forwarders are available to use recursion when forwarding servers do not respond.

Resolution

Configure root hints or enable forwarding and configure forwarding servers.

If you do not want the server to use recursion, then clear the Use root hints if no forwarders are available checkbox. If the server should use recursion to answer DNS queries, then ensure root hints or forwarders are correctly configured.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure Root Hints

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. On the Action menu, click Properties.

  4. Click the Root Hints tab.

  5. Modify server root hints as follows:

    • To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

    • To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

    • To remove a root server from the list, select it in the list, and then click Remove.

    • To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

To configure forwarders

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. On the Action menu, click Properties.

  4. Click the Forwarders tab.

  5. Modify the list of forwarders as follows:

    • To add a forwarder to the list, click Edit, specify the name and IP address of the server to be added to the list, and then click OK.

    • To modify a forwarder in the list, click Edit, click the forwarder you wish to configure, modify the name or IP address of the forwarder, and then click OK.

    • To remove a forwarder from the list, click Edit, click the forwarder you wish to remove, clear the IP address field, and then click OK.

    •  

Note

When at least one forwarder is configured in the list, the Use root hints if no forwarders are available checkbox is available. Due to a code defect in Windows Server® 2008, the checkbox actually configures the opposite behavior. This issue is corrected if your DNS server is running Windows Server 2008 R2. The effect of the setting is to configure the IsSlave registry entry.

To view the value of the IsSlave registry entry

  1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    
  3. A list of DNS registry parameters is displayed. In the list, view the value next to IsSlave REG_DWORD.

    1. If the value displayed is 0x0, then the server will attempt to use root hints to resolve DNS queries if forwarders do not respond. Root hints should be configured.

    2. If the value displayed is 0x1, then the server will not attempt to use root hints to resolve DNS queries if forwarders do not respond. If forwarders do not respond, the server will terminate the DNS query and send a SERVER_FAILURE response. Root hints are not required.

    3. If the IsSlave entry is not displayed, then forwarders are not configured on the DNS server.

Do not attempt to configure the IsSlave registry entry manually or the DNS server might fail to start or operate properly. For more information, see IsSlave

Additional considerations

The following is the default list of root hints.

  • a.root-servers.net. 198.41.0.4

  • b.root-servers.net. 192.228.79.201

  • c.root-servers.net. 192.33.4.12

  • d.root-servers.net. 128.8.10.90

  • e.root-servers.net. 192.203.230.10

  • f.root-servers.net. 192.5.5.241

  • g.root-servers.net. 192.112.36.41

  • h.root-servers.net. 128.63.2.53

  • i.root-servers.net. 192.36.148.17

  • j.root-servers.net. 192.58.128.30

  • k.root-servers.net. 193.0.14.129

  • l.root-servers.net. 199.7.83.42

  • m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

See Also

Other Resources

Toggling the "Use root hints if no forwarders are available" Checkbox Results in the Opposite Behavior in Windows Server 2008 DNS Manager Snap-in