So there I was.. at a trade show.. stuck with a question that at first glance appeared to have been custom-made by my dear friends in the linux world. “Does Microsoft DNS support the concept of Stealth DNS server?”
What exactly is a stealth DNS server? In days of old the concept was deceptively simple:
It is a DNS server that is authoritative for a zone but is not listed in that zone’s NS records.
On a Microsoft Windows DNS server, we can simulate a stealth DNS by creating a standard primary zone, disabling dynamic updates and deleting any local NS records.
However this does not work with AD-integrated zones.
When an AD-integrated zone is set up - the SOA record will be created, pointing to the FQDN of the server hosting that zone. It will also setup a corresponding NS record pointing to itself - even if dynamic updates are disabled.
Since DC/DNS servers hosting the same AD-integrated zone are multi-master for that zone - each DC/DNS server will have a unique SOA record and corresponding NS record for itself. This will result in all the NS records of the actual FQDN for these machines registered in the AD-integrated zone, in addition to any other manually-entered NS records.
This breaks any attempt at stealth nameservers because when an external secondary DNS server pulls a copy of the zone it pulls in all NS records including those with the FQDNs of the DC/DNS servers SOA for that zone.
One way to simulate a stealth DNS server using Microsoft DNS AD-integrated zones is to prevent the autocreation of NS records:
For the NS Record:
Restart Netlogon service and the DNS server service after making these changes.
More information to restrict NS resource record registration can be found here: