4

Both in my lab testing and on real installation I saw that, after a dcpromo (done via "Server Manager" on Windows 2016), a loopback IPv6 address is automatically added on the interface DNS settings (ie: ::1 as primary and sole DNS).

This IPv6 DNS address even take precedence over anything configured in the IPv4 DNS panel. This is confirmed both by ipconfig /all (which lists the IPV6 ::1 address as the first one) and by nslookup (which asks the ::1 server to resolve).

It is my understanding that, when having multiple domain controllers, it is never advised to use the loopback address as the primary DNS address.

So, my question is: is it correct to remove the IPv6 DNS loopback address from the interface DNS settings?

shodanshok
  • 50,565
  • Is this the only domain controller? – Michael Hampton Apr 09 '18 at 17:22
  • No, I have two DCs – shodanshok Apr 10 '18 at 05:12
  • That's strange. Have an upvote. Did it happen on both DCs, then? Or the first one? Or the second one? – Michael Hampton Apr 10 '18 at 15:37
  • It happened on both DCs. I also tried installing two new Win2016 servers in my lab and, after promotion, both had ::1 as they IPv6 DNS – shodanshok Apr 10 '18 at 16:35
  • Can you show me where you found such a claim... "It is my understanding that, when having multiple domain controllers, it is never advised to use the loopback address as the primary DNS address." Is incorrect, localhost is absolutely fine. Hell most Linux systems run dnsmasq or unbound and the operating systems point to 127.0.1.1 – Jacob Evans Apr 11 '18 at 04:13
  • 2
    For domain controller, having the loopback address as the primary DNS is discouraged. Have a look here and here – shodanshok Apr 11 '18 at 14:58

2 Answers2

2

When a server is promoted to Domain Controller (and it's also running a DNS server, which is the standard setup), it will automatically configure itself as its DNS server, both in IPv4 and IPv6; for IPv4 it will use 127.0.0.1, for IPv6 it will use ::1. This will always happen automatically upon DC promotion of your first Domain Controller.

From the second DC onwards, the server will need to be able to talk with the existing domain, so you will need to configure it to use an already-existing DC as its DNS server; after promotion, the server will still add localhost to its list of DNS servers, but it will honour the existing IPv4 settings and add 127.0.0.1 at the end of the list.

The gotcha is with IPv6, which more often than not will not have a configured DNS server: in this case, adding ::1 to the list will make it the one and only IPv6 DNS server; and this will take precedence over IPv4.

Bottom line: unless you are actually using IPv6 DNS, you should always remove ::1 from the list of IPv6 DNS servers on your DCs.

Regarding IPv4: if you have more than one Domain Controller (which you really should), it's recommended that each DC uses a different one as its primary DNS server, and itself as the secondary one; this will achieve two results:

  • It will greatly decrease server startup time (because DNS depends on Active Directory, which depends on DNS, which depends on AD, and so on... starting UP a DC from scratch can take a very long time if it tries to use itself as its DNS server).
  • It will avoid the so-called "island" problem, where a DC using itself as its DNS server can not get up-to-date information about AD topology changes.
Massimo
  • 71,269
  • Thanks for your answer, which I upvoted. It clearly describes and explains the core issue. However, when removing ::1 without inserting another IPv6 address, Windows simply reverts to using DHCP for IPv6 DNS. It seem wrong to me, as a rouge/malicious IPv6 DHCP server can then cause very serious issues. Disabling IPv6 from the network interface panel seems the safer bet, but I feel somewhat uneasy doing that. Any suggestion? – shodanshok Mar 24 '24 at 18:18
  • It's not recommended to disable IPv6 in Windows systems; and, if you really want go down that way, unchecking the protocol from the NIC settings is not the right way to do it; See here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows. – Massimo Mar 25 '24 at 06:52
  • I agree that totally disabling IPv6 seems excessive, and I don't like much the idea to disable it for specific interface too. Hence I am surprised that (at least from the GUI) it is not possible to remove the IPv6 DNS address without re-activating the DHCP assigned one. Thanks for the link, I will do some test with PreferIpv4. – shodanshok Mar 25 '24 at 12:47
0

Very old, but never got answered and thought it might help.

Agree, IPv6 as primary DNS is a no no.

Agree, loopback as primary is a no no.

Agree, IPv6 ::1 wedges itself into pole position after promoting to a dc.

Change IPv6 DNS to "Obtain DNS server address automatically" is a safe bet. Or reg key //hkey_local_machine/SYSTEM/CurrentControlSet/Services/Tcpip6/Parameters/ if you have to.

It's wise to keep your IPv6 NIC running and not just remove it/disable it. There is likely v6 traffic in the environment that you don't know about. Run wireshark and filter by IPv6. Over half hour you'll probably see something.

And who knows, maybe by year 3084 IPv6 will be a thing and you'll save yourself an extra change.

  • Always worth using Windows Server BPA to pick up on these things that try to slip through the cracks.
Monro
  • 1