Windows Server 2008 DNS root hints are bugged – how to identify and fix

I recently had a problem at a customer, where Windows Server 2008 DNS, at times would not resolve requests for certain top level domains (Among others .CN, .BR, .DK and .CO.UK). The customer would experience the problem every 12-48 hours and fix it by restarting the DNS server service – not acceptable.

The problem is reproduceable and is limited to all Windows 2008 servers of all editions, including Small Business Server (SBS), where the DNS server uses root hints for internet resolution.

After some investigation we found the cause of the problem to be a bug in the DNS cache information, where the Time To Live (TTL) on certain top level domains is incompatible with the minimum TTL allowed by Windows Server 2008 DNS, the information would expire but not be removed from the cache, making the information unusable by the DNS server, but not make it fetch new information, because it was still in the cache.

The solutions and workarounds we have identified are as follows:

  • Not using the servers own root hints, but instead forward all requests to the ISP’s DNS servers with a forwarder, removed all problems.
  • On the affected DNS servers using root hints, the following registry key change will fix the problem.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    Key: MaxCacheTTL                    Type: DWORD(32bit)                Værdi: 0x2A300 (172800)

We also found a Microsoft Knowledge Base article describing the issue and solutions here http://support.microsoft.com/default.aspx/kb/968372

3 Responses to “Windows Server 2008 DNS root hints are bugged – how to identify and fix”

Leave a Reply