Root Server

donald7862003

"." this zone means that all clients will come to the DNS server which will send this query to the root servers

Is this definition correct and if so why would a corp do this

Find more posts tagged with

Comments

royal

The . zone or the dot zone means that the queries end at that server. It is "The" Root DNS Server. This happened in Windows 2000 when the server didn't have access to the internet and you installed DNS. The dot zone prevents you from creating forwarders as well as creating any kind of Root Hints. You'd typically have your dot zone, create delegations under it just like a real Root Server. For instance, you'd have your dot zone, then you'd have a .com, .net, org. etc. under it. Then you would have delegations for each second level domain (techexams.net), etc.. under the necessary folder (.net) created under the root zone.

Typically, you'd remove the dot zone so users can contact your DNS server and allow that DNS server to provide recursion (getting the answer for the client); whether that may be through a forwarder, root hints, etc.

A corp would that that when they don't want any recursion over the internet. They want their DNS infrastructure completely private and have all other DNS servers point their root hints to your dot zone server to act as a root server. It'll be miraculous if you go to a company/client and see this implemented.

donald7862003

Thank You that makes sense. So all other DNS Servers would point to this server and end. But it would make sense to have this implemented and point all users to a proxy server for internet

sprkymrk

donald7862003 wrote:

Thank You that makes sense. So all other DNS Servers would point to this server and end. But it would make sense to have this implemented and point all users to a proxy server for internet

A proxy and DNS server are two different things with different purposes. A proxy is used for things such as caching web pages (not just queries and their results) or in some cases a proxy might be used for content filtering and/or virus scanning. A DNS server simply translates fqdn's to ip addresses.

So whether you use a proxy or not really has nothing to do with how your DNS is set up.

Claymoore

royal wrote:

A corp would that that when they don't want any recursion over the internet. They want their DNS infrastructure completely private and have all other DNS servers point their root hints to your dot zone server to act as a root server. It'll be miraculous if you go to a company/client and see this implemented.

On purpose anyway...

Somehow we wound up with a root (.) zone on our primary DNS server. I'm not sure how it got there, but I'll blame the previous administrator since he's not here to defend himself. The clients ran their queries against a secondary server without a root zone, so we never really noticed the problem. 98% of the time internet name resolution requests worked fine, but that 2% was causing us some headaches so finally I spent a couple of days watching DNS logs and saw that internet requests against the primary server (configured as the client's secondary server in DHCP) were failing. So I checked the forwarders and root hints on that server only to find that they weren't there - because of that root zone. I don't know how many times I opened the DNS console and never noticed the single . root zone listed above our other zones. I deleted that zone, copied the root hints over from the secondary server and everything started working fine.

sprkymrk

Claymoore wrote:

royal wrote:

A corp would that that when they don't want any recursion over the internet. They want their DNS infrastructure completely private and have all other DNS servers point their root hints to your dot zone server to act as a root server. It'll be miraculous if you go to a company/client and see this implemented.

On purpose anyway...

Somehow we wound up with a root (.) zone on our primary DNS server. I'm not sure how it got there, but I'll blame the previous administrator since he's not here to defend himself.

I know this used to happen if you set up a W2K DNS server when you were not connected to the Internet.