02-11-2026 12:21 PM
Hi, i'm observing in the fw logs massive requests from company dns servers to root servers (53 udp).
These servers are generally named *.root-servers.net.
I know that our Dns are configured to interrogate our provider DNS.
Do i need to allow communication to root servers?
How to securely address the policy rule as i cannot allow all dns query (to avoid dns spoofing)?
02-11-2026 08:18 PM
Hi @R.Colella615280 ,
Is your internal DNS set to forward all queries to the provider DNS? If so, then Id imagine you shouldn't see so many requests contacting root servers directly from your internal... I would verify how DNS is setup internally in your environment (review forwarders/conditional forwarding/recursion). If your DNS servers are performing recursive lookups themselves, then querying root servers is typical.
What to do with the traffic you see directly to root servers depends entirely on your orgs intended DNS design. If the intent was the environment should only use provider DNS, then root queries should not occur at all.
As far as how to handle DNS, from a high-level:
- only specify your internal DNS servers as a source
- destination is set to only approved upstream DNS servers or Root servers
- Block all other outbound DNS from internal networks
- specify the dns app and service being app-default
- Attach an anti-spyware profile w/ DNS Security enabled to inspect and protect DNS traffic.
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
