question

PawanKumar-0092 avatar image
0 Votes"
PawanKumar-0092 asked CandyLuo-MSFT commented

Unable to remove DNS roothint

Hi Everyone,

We are facing a weird situation in our DNS roothints configuration. We have configured the custom roothints in DNS properties under roothints tab, however when we run Get-DnsServerRootHint cmdlets we find the default roothints names as well in result.

As we see the default roothints in result, our some of the internet queries goes through those default roothints instead of defined custom roothints.

Please let me know if you have noticed such issue and can suggest something.

Note: We have already modified and deleted the default roothints entries from the cache.dns file under DNS folder. We are also using the forwarders.

Operating System: 2012 R2 standard Core(no gui)

Thanks in Advance

windows-serverwindows-active-directorywindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

The root hints can be removed permanently and completely by removing the root hints from the DNS Manager, the CACHE.DNS file and from Active Directory.

The root hints come back is because the root hints still exist in the other two locations (CACHE.DNS file and Active Directory). And you only removed default roothints entries from the cache.dns file.

For more details, you could refer to the following link:

https://support.microsoft.com/en-us/help/818020/root-hints-reappear-after-they-are-removed

https://serverfault.com/questions/378200/how-can-i-permanently-remove-default-root-hints-from-a-server-2008-dns-server

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

---Please Accept as answer if the reply is helpful---

Best Regards,

Candy

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Candy,

Thanks for response. I have already checked this, we have custom/defined DNS nodes under ADUC with one @DNSnode. In GUI properties of DNS we have set the only defined roothints. From cache.dns file default entries are already removed.

But still when we run the command get-dnsserverroothint it shows the defaultroothints. Also on Cached lookup >>.(root) shows the roothints in DNS manager advance view.

0 Votes 0 ·

Thanks for your updating.

Before going further, I would appreciate your help in clarifying the following situations:

What's the OS version of your DNS server?

Could you please upload the screenshot of DNS GUI and powershell command?

Also post the screenshot of the roothints in DNS manager advance view.

In addition, use Get-DnsServerRootHint | Remove-DnsServerRootHint cmdlet to remove these root hints and then run Get-DnsServerRootHint to check again.

For how to use Remove-DnsServerRootHint cmdlet, please refer to the following link:

https://docs.microsoft.com/en-us/powershell/module/dnsserver/remove-dnsserverroothint?view=win10-ps#:~:text=%5B%5D-,Description,outside%20its%20own%20authoritative%20zones.


0 Votes 0 ·

Hi Candy,

Please see the required information, I have replaced/hide some names from the privacy purpose.

We are using 2012 R2 Standard OS for all our Domain controllers.

Attached the following screenshots. We are considering only two custom roothints should be apprear in configuration and used for external communication i.e. abc1.contoso.com and abc2.contoso.com


17021-rootdnsserver-from-aduc.jpg16899-dns-prop-cached-lookups.jpg16999-dns-powershell-roothints-result.jpg16900-dns-prop-roothints.png


0 Votes 0 ·
Show more comments
Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered PawanKumar-0092 edited

Hi,

You can use DNS forwarder instead of roothint if you want redirect external DNS request to specific address.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Thameur,

We are already using 2 forwarders with combination of custom root hints which are our external/edge DNS servers. However when we see roothints details using powershell command Get-DNSserverRoothint we find the default root hints list as well. Which we want to remove and want to know if is it possible or by design.

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

You are right. Multiple DC will cause such phenomenon.I have deployed the DC2 and then when I run Get-DnsServerRootHint, those default roothints get back again.

17324-image.png

However, I just clear the default root hints from the file under %windir%\SYSTEM32\DNS on DC1 and then it works.

17391-image.png

You might clear the list from the file under %windir%\SYSTEM32\DNS on all DNS servers as this is server specific to do a test.


---Please Accept as answer if the reply is helpful---

Best Regards,

Candy




image.png (30.3 KiB)
image.png (21.8 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Candy,

Will you please confirm, if you have set the prefer dns IP to DC2 in DC1 nic configuration.

0 Votes 0 ·

Yes, I did. As you can see from picture below:

17393-image.png

17348-image.png

17329-image.png


0 Votes 0 ·
image.png (64.0 KiB)
image.png (73.9 KiB)
image.png (78.2 KiB)

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

0 Votes 0 ·

Hi Candy,

Thanks for sharing preferred DNS settings information. We have lots of DCs so I cannot modify the file from all the servers without having a PoC. I'll try to set the DC to self as preferred DNS and then will check.

Do you know about the purpose of Cache.dns file and when DNS service use it.

0 Votes 0 ·
Show more comments