The strange case of the “stealthy DNS“ server

So there I was.. at a trade show.. stuck with a question that at first glance appeared to have been custom-made by my dear friends in the linux world.  “Does Microsoft DNS support the concept of Stealth DNS server?”

What exactly is a stealth DNS server?  In days of old the concept was deceptively simple:

It is a DNS server that is authoritative for a zone but is not listed in that zone’s NS records.

On a Microsoft Windows DNS server, we can simulate a stealth DNS by creating a standard primary zone, disabling dynamic updates and deleting any local NS records.

However this does not work with AD-integrated zones.

When an AD-integrated zone is set up – the SOA record will be created, pointing to the FQDN of the server hosting that zone. It will also setup a corresponding NS record pointing to itself – even if dynamic updates are disabled.

Since DC/DNS servers hosting the same AD-integrated zone are multi-master for that zone – each DC/DNS server will have a unique SOA record and corresponding NS record for itself. This will result in all the NS records of the actual FQDN for these machines registered in the AD-integrated zone, in addition to any other manually-entered NS records.

This breaks any attempt at stealth nameservers because when an external secondary DNS server pulls a copy of the zone it pulls in all NS records including those with the FQDNs of the DC/DNS servers SOA for that zone.

One way to simulate a stealth DNS server using Microsoft DNS AD-integrated zones is to prevent the autocreation of NS records:

For the NS Record:




Restart Netlogon service and the DNS server service after making these changes.

More information to restrict NS resource record registration can be found here: