IPv4 root hints being removed in the presence of an IPv6 enabled Domain Controller

Question

Hello,

Still trying to reproduce the conditions however it appears that our IPv4 root hints have been removed and in place have been only IPv6. We have 1 IPv6 enabled domain controller while the others only had link local, default IPv6 configuration.

Eventually, the IPv4 root hints are gone and we are left with only IPv6. Restarting the DNS service did not fix it and clicking resolve on the record did not bring them back. I had to manually re-enter or copy them from a server that only had the IPv4.

Why is this happening? I have heard there is a bug that was introduced in January 2018 with this issue that affects both server 2012/R2 and 2016 but I cannot find any official documentation from Microsoft on this behavior. Any info?

Answer 1

To help others in the future, as I couldn't find a solution, but stumbled upon it in trying.

Copying from another DNS server did not permanently solve the problem. Every time the DNS service restarted, it would wipe the root hints out and rewrite them as IPv6 only. After a bunch of random testing, won't bore you with it, I found the answer to be to delete them all. Save it, restart the service. Manually add a.root-servers.net. as 198.41.0.4. Then I could manually add and resolve b-k. I tested a bunch of service restarts and then a computer restart and the root hints are still that as IPv4 only.

Hope this helps someone in their searches.

Answer 2

Microsoft has made it quite clear that they could not care less about this problem, and have no intentions of fixing it. Having a server unilaterally alter critical configuration variables in a way that massively breaks functionality across the entire domain is apparently acceptable to them, which is a reason we are moving as many systems away from Microsoft as possible. That being said, some systems can't be moved and so here is a script to fix the problem. This is provided as-is, use-at-your-own-risk, may destroy your network and your life, etc. Hope it helps you out, because Microsoft sure won't.

@ECHO OFF

REM *********************************************
REM This script checks to make sure that DNS Server Root Hints match the values in this script.
REM It does not check to ensure that these values are up-to-date.
REM Please periodically review the official Root Hint data at this URI and update this script as needed:
REM    http://www.internic.net/domain/named.root
REM *********************************************

REM To-do:
REM 1) Re-write in PowerShell
REM 2) Update all DNS servers in Domain or Forest.


CALL :CheckRootDNSARecord a 198.41.0.4
CALL :CheckRootDNSARecord b 199.9.14.201
CALL :CheckRootDNSARecord c 192.33.4.12
CALL :CheckRootDNSARecord d 199.7.91.13
CALL :CheckRootDNSARecord e 192.203.230.10
CALL :CheckRootDNSARecord f 192.5.5.241
CALL :CheckRootDNSARecord g 192.112.36.4
CALL :CheckRootDNSARecord h 198.97.190.53
CALL :CheckRootDNSARecord i 192.36.148.17
CALL :CheckRootDNSARecord j 192.58.128.30
CALL :CheckRootDNSARecord k 193.0.14.129
CALL :CheckRootDNSARecord l 199.7.83.42
CALL :CheckRootDNSARecord m 202.12.27.33

GOTO :SCRIPT_END

REM *********************************************

:CheckRootDNSARecord
%SYSTEMROOT%\System32\DNSCMD.EXE localhost /EnumRecords /RootHints %1.root-servers.net. /Type A | FIND "%2" >NUL
IF NOT "%ERRORLEVEL%"=="0" GOTO :FixRootDNSARecord
ECHO %1.root-servers.net resolves fine.
EXIT /b

:FIXROOTDNSARecord
IF "%3"=="FINAL" EXIT /b 
ECHO %1.root-servers.net FAILED RESOLUTION. Attempting to repair.
%SYSTEMROOT%\System32\DNSCMD.EXE localhost /RecordAdd /RootHints %1.root-servers.net. A %2 >NUL
IF NOT "%ERRORLEVEL%"=="0" GOTO :FixRootARecordFailed
CALL :CheckRootDNSARecord %1 %2 FINAL
EXIT /b

REM *********************************************

:SCRIPT_END
ECHO Complete.

Answer 3

I haven't heard of this happening before. Root hints will resolve internet queries in a top-level down fashion. As a work-around you could add ISP or your favorite public DNS as forwarders. This should be slightly faster than relying solely on root hints.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Well in that case I'd suggest starting a case here with product support. Only microsoft can fix known or confirmed bugs.
https://support.microsoft.com/hub/4343728/support-for-business

the other option for you is to report it here on uservoice,.
https://windowsserver.uservoice.com/forums/295047-general-feedback

the work-around I described should solve it in the interim.

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

Hi ,

Based on my research,it seems that this issue is DNS submits 2 different LDAP modification requests, one for A records, one for AAAA records, one immediately after the other. Since both requests modify the same AD object (RootDNSServers) the last one wins (AAAA), and A records are overwritten in the AD zone.

It is rare that IPv6 addresses need to be added to root hints. Root hint lookup should be sufficient with IPv4 addresses alone. If not absolutely required, do not add IPv6 address to root hints that already have valid IPv4 addresses.

As a workaround, you can copy them from a working DNS server.

If you have a working DNS server on your domain:

Go to domain >>right click properties >>root hints >>copy from server and select a server from your domain

If you don't have a working DNS server on the domain:

Go to domain >>right click properties >>root hints >>copy from server >>select ONE OF THE ROOT HINTS SERVER from the following list
( make sure the server is reachable via ping )

https://www.iana.org/domains/root/servers

Hope this can help you.

--Please Accept as answer if the reply is helpful--

Best Regards,

Candy