Unable to remove DNS roothint

Pawan Kumar 1

Hi Everyone,

We are facing a weird situation in our DNS roothints configuration. We have configured the custom roothints in DNS properties under roothints tab, however when we run Get-DnsServerRootHint cmdlets we find the default roothints names as well in result.

As we see the default roothints in result, our some of the internet queries goes through those default roothints instead of defined custom roothints.

Please let me know if you have noticed such issue and can suggest something.

Note: We have already modified and deleted the default roothints entries from the cache.dns file under DNS folder. We are also using the forwarders.

Operating System: 2012 R2 standard Core(no gui)

Thanks in Advance

3 answers

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-11T06:54:59.527+00:00

Hi ,

The root hints can be removed permanently and completely by removing the root hints from the DNS Manager, the CACHE.DNS file and from Active Directory.

The root hints come back is because the root hints still exist in the other two locations (CACHE.DNS file and Active Directory). And you only removed default roothints entries from the cache.dns file.

For more details, you could refer to the following link:

https://support.microsoft.com/en-us/help/818020/root-hints-reappear-after-they-are-removed

https://serverfault.com/questions/378200/how-can-i-permanently-remove-default-root-hints-from-a-server-2008-dns-server

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

---Please Accept as answer if the reply is helpful---

Best Regards,

Candy
Please sign in to rate this answer.
Pawan Kumar 1 Reputation point

2020-08-11T08:25:04.057+00:00

Hi Candy,

Thanks for response. I have already checked this, we have custom/defined DNS nodes under ADUC with one @DNSnode. In GUI properties of DNS we have set the only defined roothints. From cache.dns file default entries are already removed.

But still when we run the command get-dnsserverroothint it shows the defaultroothints. Also on Cached lookup >>.(root) shows the roothints in DNS manager advance view.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-11T09:47:40.827+00:00

Thanks for your updating.

Before going further, I would appreciate your help in clarifying the following situations:

What's the OS version of your DNS server?

Could you please upload the screenshot of DNS GUI and powershell command?

Also post the screenshot of the roothints in DNS manager advance view.

In addition, use Get-DnsServerRootHint | Remove-DnsServerRootHint cmdlet to remove these root hints and then run Get-DnsServerRootHint to check again.

For how to use Remove-DnsServerRootHint cmdlet, please refer to the following link:

https://learn.microsoft.com/en-us/powershell/module/dnsserver/remove-dnsserverroothint?view=win10-ps#:~:text=%5B%5D-,Description,outside%20its%20own%20authoritative%20zones.

Pawan Kumar 1 Reputation point

2020-08-11T12:02:36.497+00:00

Hi Candy,

Please see the required information, I have replaced/hide some names from the privacy purpose.

We are using 2012 R2 Standard OS for all our Domain controllers.

Attached the following screenshots. We are considering only two custom roothints should be apprear in configuration and used for external communication i.e. abc1.contoso.com and abc2.contoso.com

Pawan Kumar 1 Reputation point

2020-08-11T12:06:16.873+00:00

Forget to answer below point:

use Get-DnsServerRootHint | Remove-DnsServerRootHint cmdlet to remove these root hints and then run Get-DnsServerRootHint to check again.

I have run the command and removed all roothints and restarted dns service and not able to see the any roothints. But when I started to add the two custom roothints i.e. abc1.contoso.com and abc2.contoso.com then again the default roothints starts appear in Get-dnsserverroothint command as shown in screenshot.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-12T02:48:01.543+00:00

Thanks for the detailed information. I have tested in my lab and did not occur such problem at the moment. As the picture below (I was using server 2016):

I will try to wait for a while to see if the default root hints will return back again. If I still cannot reproduce this problem, I will try to deploy a server 2012 DNS to do a test.

Pawan Kumar 1 Reputation point

2020-08-12T04:04:41.74+00:00

Hi Candy,

I'm suspecting that if DC has internet connection then it tries slowly to resolve default roothints using the custom roothints or forwarder and add in list. Can you check this after setting up internet connection on DC.

That may be a difference in lab scenario.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-12T05:20:37.037+00:00

Yes, it might be. But due to the limited test environment, I did not have a physical DC that can directly connect to internet. I can only create a DC VM connected to an external switch to set up internet connection. In such case, it is hard to reproduce your issue with lab scenario.

If this issue is urgent, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

You may find phone number for your region accordingly from the link below:
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Pawan Kumar 1 Reputation point

2020-08-12T06:51:59.26+00:00

Hi Candy,

This is not an urgent issue to us as we are not getting any impact but just want to correct the behaviour of roothints, why those are not respecting configuration.

I don't mean to have physical DC as we are also using a VM as DC. As you said connection to an external switch to set up internet connection on DC VM should be fine. Just to ensure DC resolve external dns i.e. googl.com

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-12T07:48:01.437+00:00

I used a server 2012 DC VM and connected to an external switch and then test again. I still did not occur the same phenomenon....

Pawan Kumar 1 Reputation point

2020-08-12T08:38:32.587+00:00

Hi Candy,

Sorry to asking out of box question. Can it be possible that we are using the DC2 as preferred DNS in DC1(where issue exist) and its getting default roothints from DC2. Default roothints are showing on all other DNS servers as well but I didn't modified any change there till I get assured what to change.

Might be this issue with server itself, I'll check this with other DC if changes works there as expected or not.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-12T09:45:30.167+00:00

I also have such doubts ( haven't got time to do the test). I will deploy a DC2 to do a test. There might be some time delay. Appreciate your patience.

I will get back to you as soon as possible.
Sign in to comment
Thameur-BOURBITA 32,586 Reputation points

2020-08-12T22:15:15.15+00:00

Hi,

You can use DNS forwarder instead of roothint if you want redirect external DNS request to specific address.
Please sign in to rate this answer.
Pawan Kumar 1 Reputation point

2020-08-13T06:11:51.197+00:00

Hi Thameur,

We are already using 2 forwarders with combination of custom root hints which are our external/edge DNS servers. However when we see roothints details using powershell command Get-DNSserverRoothint we find the default root hints list as well. Which we want to remove and want to know if is it possible or by design.
Sign in to comment
Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-13T03:04:03.66+00:00

Hi ,

You are right. Multiple DC will cause such phenomenon.I have deployed the DC2 and then when I run Get-DnsServerRootHint, those default roothints get back again.

However, I just clear the default root hints from the file under %windir%\SYSTEM32\DNS on DC1 and then it works.

You might clear the list from the file under %windir%\SYSTEM32\DNS on all DNS servers as this is server specific to do a test.

---Please Accept as answer if the reply is helpful---

Best Regards,

Candy
Please sign in to rate this answer.
Pawan Kumar 1 Reputation point

2020-08-13T06:10:08.407+00:00

Hi Candy,

Will you please confirm, if you have set the prefer dns IP to DC2 in DC1 nic configuration.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-13T07:28:13.62+00:00

Yes, I did. As you can see from picture below:

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-14T07:07:52.52+00:00

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

Pawan Kumar 1 Reputation point

2020-08-17T04:20:49.51+00:00

Hi Candy,

Thanks for sharing preferred DNS settings information. We have lots of DCs so I cannot modify the file from all the servers without having a PoC. I'll try to set the DC to self as preferred DNS and then will check.

Do you know about the purpose of Cache.dns file and when DNS service use it.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-17T06:57:39.297+00:00

The Cache.dns file is used to store root hints. By default, the DNS Server service implements root hints using this file.

Since I did not reproduce your issue, it is hard for me to analyze the cause from Q&A platform support level.

>>I'll try to set the DC to self as preferred DNS and then will check.

I will wait for your updates.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-20T06:59:53.033+00:00

Did you have any updates on this issue?

Pawan Kumar 1 Reputation point

2020-08-27T05:08:06.913+00:00

Hi Candy,

I didn't change the preferred DNS to DC itself even though configuration is correct now. I just performed the removal of default root hints from PDC in DNS properties and the next day I found most of the DC with correct configuration.

So not sure what made it fixed but still there are few server which are reporting same issue. I'll check and will update if I find the fix.

Candy Luo 12,656 Reputation points Microsoft Vendor

2020-08-27T05:27:36.997+00:00

Please feel free to let us know if you find the fix.
Sign in to comment