I recently promoted one of the Server 2008 VMs in my lab to a domain controller for the lab domain and installed the DNS role as well (so now I have three DNS servers in the VM lab — all three are domain controllers). The “firewall” to the VM lab is an ISA 2006 server with the Web Proxy Auto-Discovery (WPAD) configured and I have a CNAME entry in DNS for wpad so that the ISA firewall clients can dynamically detect the ISA server and configure the settings in IE.

According to the document, “Windows Server 2008 – DNS Server Global Query Block List” the initial query block list contains the entries ‘wpad’ and ‘isatap’ by default. However, when you install or upgrade a server to Windows Server 2008 and you install the DNS role the installation is supposed to detect whether entries already exist in DNS for the names ‘wpad’ and ‘isatap’ and to remove those entries from the block list upon detection (remember, this only occurs upon installation or upgrade — not later on during normal operation). It only detects, however, when the record is either an A (IPv4 address) or AAAA (IPv6 address). In my case the record is a CNAME and therefore ‘wpad’ was automatically added to the global query block list. This generates an EventID of 7600 with the following text in my case:

The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for WPAD.DOMAIN.TLD even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.

Below is the current global query block list (this list may be truncated in this event if it is too long):
isatap
wpad

EventID 7600 - DNS Query Block List

EventID 7600 - DNS Query Block List

The solution can be found at the Forefront TMG (ISA Server) Product Team blog in their entry titled Windows Server 2008 DNS Block Feature. Additional information can be found on TechNet in the document “DNS Server Global Query Block List” under the Windows Server 2008 resource section covering the Domain Name System.

To make a long story short, the simple solution is to reconfigure the global query block list using the dnscmd command as shown below

Reconfiguring DNS Global Query Block List on Server 2008

Reconfiguring DNS Global Query Block List on Server 2008

Advertisements