Adding root servers as local secondary zone to local caching server

Charles Sharp charles at
Fri May 21 13:27:29 UTC 2021


Ok, so, I maintain a smallish Windows AD Domain, and was doing some
research on the question of whether or not to use DNS forwarders in the
Microsoft DNS server, or to use just the root hints.

I ran across an article written by someone who suggested something I'd
never considered - he suggested deleting the root hints, and setting up
new forward/reverse secondary zones that basically act as a local 'root
hints', and was wondering if anyone here had ever considered this, done
it, or has good arguments against doing it.

Here is the Microsoft Technet article:

And here is his post in response to someone who was arguing for always
just using root hints:

> Well... if you're focusing on availability and speed then you may 
> also push the setup a bit farther, what I mean is the following:>
> open your DNS management console
> delete (yes, delete) the root hints
> go to "forward zones", right click, create a new forward zone, type
> secondary standard, name "." (a single dot)and enter the following
> IPs for the authoritative DNS
> confirm and move to "reverse zones", again, create a new reverse 
> zone, type secondary standard, name "arpa" and enter the following 
> IPs as the auth DNS

> wait a bit for the zone transfers to take place and then have a look 
> at the zones, using such a config your DNS will basically act as a 
> "slave root" DNS that is, will keep a copy of the forward and
> reverse root zones

So... will this actually work as it appears, and if so, is it a good idea?

Also - is it possible to do the same thing in Unbound, and if so, how?



More information about the Unbound-users mailing list