I recently promoted one of the Server 2008 VMs in my lab to a domain controller for the lab domain and installed the DNS role as well (so now I have three DNS servers in the VM lab — all three are domain controllers). The “firewall” to the VM lab is an ISA 2006 server with the Web Proxy Auto-Discovery (WPAD) configured and I have a CNAME entry in DNS for wpad so that the ISA firewall clients can dynamically detect the ISA server and configure the settings in IE.
According to the document, “Windows Server 2008 – DNS Server Global Query Block List” the initial query block list contains the entries ‘wpad’ and ‘isatap’ by default. However, when you install or upgrade a server to Windows Server 2008 and you install the DNS role the installation is supposed to detect whether entries already exist in DNS for the names ‘wpad’ and ‘isatap’ and to remove those entries from the block list upon detection (remember, this only occurs upon installation or upgrade — not later on during normal operation). It only detects, however, when the record is either an A (IPv4 address) or AAAA (IPv6 address). In my case the record is a CNAME and therefore ‘wpad’ was automatically added to the global query block list. This generates an EventID of 7600 with the following text in my case:
The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for WPAD.DOMAIN.TLD even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
Below is the current global query block list (this list may be truncated in this event if it is too long):
isatap
wpad
EventID 7600 - DNS Query Block List
The solution can be found at the Forefront TMG (ISA Server) Product Team blog in their entry titled Windows Server 2008 DNS Block Feature. Additional information can be found on TechNet in the document “DNS Server Global Query Block List” under the Windows Server 2008 resource section covering the Domain Name System.
To make a long story short, the simple solution is to reconfigure the global query block list using the dnscmd command as shown below
Reconfiguring DNS Global Query Block List on Server 2008
Ido's Blog 
1 comment
February 24, 2009 at 6:33 pm
Narg
I also ran into this same problem. Thanks for providing the DNS part of the fix.
I’ve still got one problem though and that the .pac file no longer seems to be taking affect. I was on Windows 2000 servers, now on 2008. One of the 2000 server was providing web services to give access to the .pac file for the automatic proxy entry in I.E. to grab the file. I moved the web location to another machine, but now it doesn’t do it’s job. I’m not sure why. Does this file need to reside on the server?
Another way to explain:
old setup:
http://wpad.domain.local/wpad.pac wpad -> server in DNS where server was a windows 2000 AD server with web turned on. worked.
new setup
http://wpad.domain.local/wpad.pac wpad -> web in DNS where web is an internal web server for many tasks, and not a AD controller, but is inside the domain.
New setup doesn’t work. Just wonder if it’s because of the location or not. I.E. doesn’t want to use the proxy now, but did with the old setup. DNS resolution is correct, and works. But the .pac file access seems to be blocked via some other security or something.