Is it possible to create your own root DNS server?

Solution 1:

DNS by design does not enable having an authoritative copy of all zones, as it utilizes a hierarchical naming system.

The root servers are authoritative for identifying the server responsible for the Top Level Domain (TLD) in question. For example, resolving will first query a root server to identify the authoritative nameserver for .net. The .net nameserver will identify the authoritative nameserver for, which will then return the record for

You cannot download a copy of all zones. However, you can run a local caching nameserver. The caching nameserver will provide a local copy of all records resolved, which expire using the Time To Live (TTL) specified for the record. Please keep in mind that my explanation is a simplistic description of the DNS protocol, which can be explored in detail by reading definitions in the Request For Comments.

While NXDOMAIN hijacking can be avoided by running a local cache, keep in mind that all DNS resolution traffic will still be transmitted via your Internet connection unencrypted. Your ISP could potentially monitor that traffic and still see the communication. The contracts you have with your ISP as well as your local laws are going to be your definitive means for establishing how your communications are treated. Your ISP's contracts will include the Terms of Service, Privacy Policies and any additional contracts that you may have with your ISP.

Using encrypted protocols is one of the best methods for insuring your data against eavesdropping during transit. However, even that has no guarantee of anonymity. There are additional protocols out there such as Tor and Freenet, which attempt to introduce anonymity to the Internet, as it was never designed to be truly anonymous.

Solution 2:

A few things:

If you configure your server to use the root hints instead of using forwarders then you don't have to worry about MITM issues (at least from ISP's and DNS hijackers). For all external DNS resolution your server would query the root hints, which would refer you to the gTLD servers for the top level domain in question (.com, etc.), which would then refer you to the NS servers for the domain in question.

If you really want to create your own root server you certainly can, although I don't see how it would do you much good. Here's how you do it on a Windows DNS server:

Download the DNS root zone file and save it as root.dns in the %systemroot%\system32\dns directory on your Windows DNS server, use the DNS zone creation wizard to create a new primary forward lookup zone named "." (without the quotes), deselect the option to create an AD integrated zone, type "." for the zone name (without the quotes), select the option to use an existing file and the zone file name field will automatically be populated with the name root.dns (if it isn't type it in), leave the option to not allow dynamic updates as is, click the finish button after you've cycled through each step of the wizard. You now have a root server with zones and zone records for all of the gTLD servers.

Note that this will disable the forwarding and root hints options on the server (since your server is now a root server) and also note that if the gTLD information changes, there's no way for your server to get notice of those changes.