A DNS recursive resolver is typically primed with a list of Root Servers which it uses to resolve queries. When the recursive resolver receives a query, it queries to one of the root servers to get back a list of top level domain (TLD) name servers. It then queries those TLD name servers to get back another list of name servers hosting the domain name. This process is done recursively until the an answer for the query is resolved.
The DNS recursive resolver maintains a cache to avoid frequent queries and thus improving its performance. However, when the cache expires or is flushed, the recursive resolution process is performed again.
During the recursive resolution process, there is a possibility that the response from root server is delayed due to network issues or other events like the root server being under a Denial of Service (DoS) attack. There could also be passive monitoring of DNS requests going to root servers by an on path actor compromising privacy.
To prevent these issues and to improve resiliency there is a good option to run a Root Server locally on your DNS resolver.
There are several advantages of running a Root Server locally:
- The Root zone contains all the TLD name servers and their IP addresses. This allows the DNS resolver to skip the initial query to the Root Server and directly query to the TLD name servers saving time.
- Since the Root zone is running locally, queries for non existent top level domain (TLD) names are resolved locally.
- This also improves resiliency since the Root zone is local and thus there is no immediate dependency on the Root Servers for recursive resolution.
There are a few disadvantages too:
- If there are any updates to the Root zone, it will take slightly longer for those changes to sync to your local Root zone. Though there wont be much of a noticeable issue.
- If your local Root zone is not updating due to any reason and it was not detected, then the local Root zone will expire after 7 days (as per Root SOA Expiry). This may cause some DNS resolvers to fail to resolve any queries when cache expires. Technitium DNS Server however will fall back to root hints in such a case.
Considering both the advantages and disadvantages, its good to have a Root zone locally for a recursive resolver.
Sourcing The Root Zone
The root zone is available from ICANN DNS servers via zone transfer (AXFR-over-TCP):
- xfr.cjr.dns.icann.org (22.214.171.124, 2620:0:2830:202::132)
- xfr.lax.dns.icann.org (126.96.36.199, 2620:0:2d0:202::132)
The following Root Servers also support zone transfer (AXFR-over-TCP):
- b.root-servers.net (188.8.131.52, 2001:500:200::b)
- c.root-servers.net (184.108.40.206, 2001:500:2::c)
- d.root-servers.net (220.127.116.11, 2001:500:2d::d)
- f.root-servers.net (18.104.22.168, 2001:500:2f::f)
- g.root-servers.net (22.214.171.124, 2001:500:12::d0d)
- k.root-servers.net (126.96.36.199, 2001:7fd::1)
It is recommended to have DNSSEC enabled on your DNS resolver. Use recursive ACL to make sure that your DNS resolver accepts queries only from known clients to protect from DNS amplification attacks.
To configure your DNS server, you just have to create a secondary zone for "." domain name which is a fully qualified domain name (FQDN) for the Root zone.
On Technitium DNS Server, configure the secondary zone as shown in the screenshot below:
Configuring Local Secondary Root Zone
Once you have the secondary zone created, wait for a few seconds for the DNS server to perform the zone transfer. The Root zone meanwhile will show as expired. If its taking a lot of time, do check the DNS server logs to see if there are any errors being logged.
After the secondary zone is synced, you will see all the root zone records. There are thousands of records and it may take a couple of seconds for the DNS panel to list all of them. Here is what you should see on the DNS panel:
Local Secondary Root Zone
Note: Having a locally configured Root zone will be always prefered over forwarders by the DNS server and thus any forwarders that are configured in Settings will be ignored.
If you have any queries do write in the comments section below or send an email to firstname.lastname@example.org.