Configure the Global Query Block List

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

The block list feature was introduced with the DNS server role in Windows Server® 2008, and helps prevent accidental or malicious registration of host names that can affect critical applications on your network. For a detailed description of the global query block list, see Windows Server 2008 Technical Overviews (https://go.microsoft.com/fwlink/?LinkId=165900) and Managing the Global Query Block List (https://go.microsoft.com/fwlink/?LinkId=165768).

Use the following procedures to view or modify the global query block list on a DNS server.

Important

All DNS servers that are authoritative for a zone must be configured with the same block list to ensure consistent results. The block list is a per-server setting and is not replicated between servers. By default, the block list contains entries for wpad and isatap.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To enable or disable the global query block list

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd [<ServerName>] /config /enableglobalqueryblocklist 0|1
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/config

Required. Modifies the configuration of the DNS server.

/enableglobalqueryblocklist

Required. Specifies that the command enables or disables the global query block list.

0|1

Specifies whether to enable or disable the global query block list. If you want the DNS Server service to ignore queries for the names in the block list, you set the value of the command to 1. If you want to disable the global query block list, you set the value to 0.

To view the global query block list

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd [<ServerName>] /info /globalqueryblocklist
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/info

Required. Specifies that the command is to return information only.

/globalqueryblocklist

Required. Specifies that the command applies to the global query block list.

To update the global query block list

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)or omit the host name.

/config

Required. Modifies the configuration of the DNS server.

/globalqueryblocklist

Required. Specifies that the command applies to the global query block list.

<name>

Specifies the host names that are to be inserted into the global query block list. Separate multiple names with blank spaces.

Important
The command replaces all names in the list with the names you specify. Therefore, to add a name to the list you must also include all existing names in the list. If you do not specify a name, all names are removed from the global query block list.

Additional considerations

  • To determine whether the global query block list is enabled, type the following command at a command prompt:

    dnscmd <ServerName> /info /enableglobalqueryblocklist
    

    If the command returns a value of 1, the global query block list is enabled. If the command returns a value of 0, the global query block list is not enabled.

See Also

Concepts

Checklist: Implementing a Secure DNS Configuration