When configuring DNS records in Windows Server 2016 (especially when using scopes and policies), you'll often encounter records with just an "@" symbol in the hostname field. This isn't a placeholder or wildcard - it has very specific meaning in DNS configuration.
According to Microsoft's DNS documentation:
@ - Represents the zone origin (the domain name itself)
* - Wildcard representing any hostname
(blank) - Inherits the parent domain nameConsider a zone for "example.com":
Record Type | Hostname | Value | Purpose
--------------------------------------------------------
A | @ | 192.168.1.1 | Points example.com to IP
MX | @ | mail.example.com | Mail server for domain
TXT | @ | "v=spf1..." | SPF record for domainWhen creating records programmatically:
# Add an A record for the zone origin
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "@" -IPv4Address "192.168.1.1"
# Add MX record using the @ symbol
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10When working with DNS policies in Server 2016:
# Create a zone scope
Add-DnsServerZoneScope -ZoneName "example.com" -Name "scope1"
# Add a record to the specific scope using @
Add-DnsServerResourceRecordA -ZoneName "example.com" -ZoneScope "scope1" -Name "@" -IPv4Address "10.0.0.1"1. Don't confuse "@" with wildcards - they serve different purposes
2. "@" records don't inherit - they explicitly define the zone origin
3. In some interfaces, leaving the field blank may automatically convert to "@"
For large deployments:
# Export all @ records from a zone
Get-DnsServerResourceRecord -ZoneName "example.com" -RRType "A" | Where-Object {$_.HostName -eq "@"} | Export-Csv -Path "origin_records.csv"In DNS configuration, the "@" symbol serves as a placeholder that represents the zone origin (also called the root domain or apex domain). When you see "@" in the hostname field of a DNS record, it means the record applies directly to the domain name itself rather than a subdomain.
; Example DNS zone file
$ORIGIN example.com.
@ IN SOA ns1.example.com. admin.example.com. (
2023081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
3600 ) ; minimum TTL
@ IN NS ns1.example.com.
@ IN A 192.0.2.1
@ IN MX 10 mail.example.com.
www IN A 192.0.2.2
In Windows Server 2016 DNS Manager (especially when using scopes and policies), "@" records typically appear for these common scenarios:
- Root domain A/AAAA records
- MX records for the base domain
- TXT records (like SPF or DMARC)
- DNSKEY records for DNSSEC
Here's how to create such records using PowerShell:
# Add an A record for the root domain Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "@" -IPv4Address "192.0.2.1" # Add an MX record Add-DnsServerResourceRecordMX -ZoneName "example.com" -Preference 10 -Name "@" -MailExchange "mail.example.com"
While both "@" and "*" are special characters in DNS, they serve different purposes:
| Character | Purpose | Scope |
|---|---|---|
| @ | References the zone origin | Only affects the root domain |
| * | Wildcard matching | Matches any undefined subdomain |
When working with "@" records in Windows DNS:
- The "@" symbol automatically resolves to the zone name in the DNS Manager UI
- In zone files, it's equivalent to leaving the hostname field blank
- For PowerShell operations, you must explicitly use "@" as the -Name parameter
Here's an example of querying these records:
# Query all root domain records Get-DnsServerResourceRecord -ZoneName "example.com" -Name "@" # Specific record type query Get-DnsServerResourceRecord -ZoneName "example.com" -Name "@" -RRType "A"
In Windows Server 2016+ DNS Policy configurations, you might need special handling for "@" records when implementing:
- Traffic management policies
- Split-brain DNS configurations
- Geo-location based resolution
Example policy affecting the root domain:
Add-DnsServerQueryResolutionPolicy -Name "PrimaryDC" -Action ALLOW -ServerInterfaceIP "EQ,10.0.0.1" -FQDN "EQ,@.example.com"