Watch Out for the Windows Server 2008 DNS Query Block List
If you use Wpad for browser autodiscovery or ISATAP routers, you might find that you're having troubles resolving the name WPAD or ISATAP on your network. You might have configured a manual DNS entry for reach of these names, but no matter what you do, you can't seem to get clients to resolve those names correctly against your Windows Server 2008 DNS server. What's up with that?
The problem is that Windows Server 2008 introduces a new feature, called the DNS Server Global Query Block list. This is a list of names that when queries are made for to the Windows Server 2008 DNS server, the DNS server will not resolve and will return to the client that there is no record for that host, even if there is a record.
The reasons why Microsoft decided to do this was to prevent potentially malicious clients from registering these names in the dynamic DNS. For example, a user could bring up a computer with the name wpad and that name would be registered in the DNS. Then when users who have their browsers configured to use autodiscovery start their browsers, they will resolve the name wpad to the IP address of the computer that registered the name wpad, and the browsers will use that IP address as its proxy server. If you have a malicious user doing this, the attacker could redirect the browse to obtain wpad information that includes malicious code. Not good.
That same is true for ISATAP clients seeking the name of an IPv6 ISATAP router.
Note that this only happens if wpad or isatap entries have not already been deployed on your network. For example, if you upgrade a Windows Server 2003 computer that had a DNS server installed and already had a wpad entry in it, the upgraded machine will not place wpad on the block list. Same for isatap. Also, if the DNS server is a secondary, or part of an AD-integrated DNS, then the wpad entry will not be removed when the DNS records replicate to the new Windows Server 2008 DNS server.
While wpad and isatap are the only two names included in the block list by default, you do have the option to add more names to the Global Queries Block List. You also have the option to remove either or both wpad or isatap from the block list. You use the Windows Server 2008 dnscmd command to make these changes.
For more information on the Windows Server 2008 DNS Query Block List, check out:
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)