Internal root DNS servers do not have root hints and do not
forward or resolve any names beyond itself. This behavior is by design to
protect the internal DNS server from an Internet attack. You must have a
firewall in place to protect the root DNS server.
Depending on your
network configuration, you may want the internal root DNS server to provide
name resolution services for all Internet top-level domains (.net, .com, .edu),
while you still protect it from any outside exposure. To do so, delegate all
the Internet top-level domains on an internal root DNS server. Down-level DNS
servers in your organization are then able to resolve iterative queries to your
root DNS servers for top-level domains.
NOTE: Network Solutions provides a list of aggregated .com, .org, and
.net top-level domain zone files (including the checksum files) and is subject
to the restrictions described in the Access Agreement with Network Solutions.
You use this file to build the delegated top-level domains.
To
delegate all Internet top-level domains:
- Extract the root.zone file from the root.zone.gz file in the
following location, and then copy root.zone to the %SystemRoot%\System32\DNS
folder:
ftp://ftp.rs.internic.net/domain
- Rename the file "Cache.dns".
If you have a
Cache.dns file already in the DNS folder, move it to a safe backup location in
case you have to retrieve it at a later date. - Create a new .(root) zone on the DNS server:
- In the DNS snap-in, right-click Forward lookup
zones, and then click New Zone.
- When the New Zone Wizard starts, click Next
- Click Primary, click to clear Store the zone in Active
Directory, and then click Next.
- In the Name box, type a dot (.), and then click Next.
- Click Use this existing file, type
cache.dns, and then click Next.
- Click Do not allow dynamic updates
(default), click Next, and then click Finish.
After you complete this procedure, the root zone is created with
all Internet top-level domains delegated below it.