Windows Server 2008 DNS Block Feature
Windows Server 2008 introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Server.
The block feature provides a global query block list to reduce vulnerability associated with dynamic DNS updates. Dynamic update makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. This convenience comes at a cost, however, because an authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to "hijack" a special name and divert certain types of network traffic to that user's computer. WPAD is a commonly deployed protocol vulnerable to this type of hijacking, and by default WPAD look up is disabled by the blocking mechanism.
If you want to use WPAD with a Windows Server 2008 DNS, note the following behavior:
- If WPAD entries are configured in DNS before the DNS server is upgraded to Windows Server 2008, no action is required.
- If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.
To update the block list, use the dnscmd command-line tool. Open a command line prompt, and do the following:
- To check whether the global query block is enabled, type:
- dnscmd /info /enableglobalqueryblocklist. A value of 1 is returned if the block list is enabled.
- To display the host names in the current block list, type:
- dnscmd /info /globalqueryblocklist
- To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type:
- dnscmd /config /enableglobalqueryblocklist 0
- To remove all names from the block list, type:
- dnscmd /config /globalqueryblocklist
For more information about the DNS block list feature and dnscmd commands, download the article "DNS Server Global Query Block List" from TechNet at http://technet.microsoft.com/en-us/network/bb629410.aspx.
Rayne Wiselman
ISA Server User Education Team
