Watch Out for the Windows Server 2008 DNS Block List
I was recently helping out a client with setting up a new ISA firewall into a Windows Server 2008 domain. Things were going smoothly except for WPAD. We had configured a wpad entry on this client's DNS server and configured the Web Proxy clients to autodetect their configuration settings. The problem was that the clients were not getting their settings from the ISA firewall.
My first thought was that perhaps there was something wrong with the clients and they weren't getting the wpad information from the ISA firewall. So we set up a DHCP server with a WPAD entry and tested the clients with that. It worked. So apparently there was nothing wrong with the clients. I then used NetMon 3 to check if the wpad DNS queries were going to the DNS server (I should have done this first instead of messing around with DHCP servers.). The packet trace showed that the DNS queries were going to the DNS server, but the DNS server indicated that it had no records for that wpad.domain.com
We knew that there was a record for WPAD in the DNS server because we created it and saw it there. We even restarted the DNS service. Then bam! It occurred to me -- this is a Windows Server 2008 DNS server. Windows Server 2008 DNS servers have a default block list that prevents them from responding to queries for ISATAP and WPAD. You have to configure the Windows Server 2008 DNS server to answer these queries using the dnscmd command line tool.
We got this fixed and the DNS queries for WPAD started working again.
Just another day in the life of an ISA firewall consultant who isn't used to all the new features in Windows Server 2008 🙂
For more information on this, check out:
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)