Share via


Removing WPAD from DNS block list

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The DNS Server role in Windows Server 2008 introduces a global query block list to reduce vulnerability associated with DNS dynamic update protocol.

If you want to use WPAD with DNS, note the following:

  • If WPAD entries are configured in DNS before the DNS server is upgraded in Windows Server 2008, no action is required.

  • If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.

Updating the block list

Use the dnscmd command-line tool to manage the global query block list. Open a command line prompt, and then do the following:

  1. To check whether the global query block is enabled, type the following:

    dnscmd /info /enableglobalqueryblocklist

  2. To display the host names in the current block list, type the following:

    dnscmd /info /globalqueryblocklist

  3. To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:

    dnscmd /config /enableglobalqueryblocklist 0

  4. To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:

    dnscmd /config /enableglobalqueryblocklist 1

  5. To remove all names from the block list, type the following:

    dnscmd /config /globalqueryblocklist

  6. To replace the current block list with a list of the names that you specify, type the following:

    dnscmd /config /globalqueryblocklist name [name]…

For more information and instructions, see the document "DNS Server Global Query Block List", available for download from Domain Name System at Microsoft TechNet.