DNS: If the Global Query Block List is enabled, then it should not be empty
Updated: October 15, 2010
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 |
Product/Feature |
DNS |
Severity |
Warning |
Category |
Configuration |
Issue
The DNS Global Query Block List is enabled but empty. The default strings "wpad" and "isatap" have been removed.
If the Global Query Block List is enabled, it should not be empty. By default, the host names “wpad” and “isatap” are included in the list. You should not disable the block list feature by removing the default names.
Impact
Users might register DNS names that have special significance. By default, the Global Query Block List contains the strings "wpad" and "isatap".
The Global Query Block List is a list of host names that the DNS server ignores. If the block list is enabled on a DNS server and it receives a query for a zone for which it is authoritative, the DNS server checks the leftmost portion of the name. If the query matches an entry in the block list, the DNS server replies to the query as though no resource record existed, even if there is a host (A or AAAA) resource record in the zone for the name. This prevents hosts that might have registered names with special significance in your organization from diverting certain types of network traffic to that host.
Resolution
Disable the Global Query Block List, or add the strings "wpad" and "isatap" to the list if you do not have these services deployed in your environment.
Important
All DNS servers that are authoritative for a zone must be configured with the same block list to ensure consistent results. The block list is a per-server setting and is not replicated between servers.
When you enable the Global Query Block List, the Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are blocked by default. WPAD is used by most web browsers to locate and apply configuration settings that make it possible for the web browsers to use a network proxy server. ISATAP provides a transition between networks that are based on IP version 4 (IPv4) and networks that are based solely on the newer IP version 6 (IPv6). If you have one of these services deployed on your network, remove the appropriate name from the block list or disable the Global Query Block List feature. Do not configure an empty block list.
Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To enable or disable the global query block list
Open an elevated command prompt.
Type the following command, and then press ENTER:
dnscmd [<ServerName>] /config /enableglobalqueryblocklist 0|1
| Value | Description |
|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
<ServerName> |
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name. |
/config |
Required. Modifies the configuration of the DNS server. |
/enableglobalqueryblocklist |
Required. Specifies that the command enables or disables the global query block list. |
0|1 |
Specifies whether to enable or disable the global query block list. If you want the DNS Server service to ignore queries for the names in the block list, you set the value of the command to 1. If you want to disable the global query block list, you set the value to 0. |
To view the global query block list
Open an elevated command prompt.
Type the following command, and then press ENTER:
dnscmd [<ServerName>] /info /globalqueryblocklist
| Value | Description |
|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
<ServerName> |
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name. |
/info |
Required. Specifies that the command is to return information only. |
/globalqueryblocklist |
Required. Specifies that the command applies to the global query block list. |
To update the global query block list
Open an elevated command prompt.
Type the following command, and then press ENTER:
dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]
| Value | Description | ||
|---|---|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
||
<ServerName> |
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)or omit the host name. |
||
/config |
Required. Modifies the configuration of the DNS server. |
||
/globalqueryblocklist |
Required. Specifies that the command applies to the global query block list. |
||
<name> |
Specifies the host names that are to be inserted into the global query block list. Separate multiple names with blank spaces.
|
.gif)
ImportantAdditional considerations
To determine whether the global query block list is enabled, type the following command at a command prompt:
dnscmd <ServerName> /info /enableglobalqueryblocklistIf the command returns a value of 1, the global query block list is enabled. If the command returns a value of 0, the global query block list is not enabled.