Windows Server 2008 R2 DNS Global Query Block List

Using Windows DNS dynamic update functionality to hijack automatic configuration records, wpad. and isatap. is a pretty straightforward process and will allow the culprit to intercept proxy credentials or redirect/intercept traffic requests. ISATAP is probably less of a concern today as it role is to facilitate transition from pure IPv4 to IPv6 networks but if you’re using Automatic Proxy Configuration in your client system browser settings the GQBL feature in Windows DNS will render automatic configuration useless (not that you should be using anything “automatic” in a managed network environment) by rejecting wpad host record lookups. If you find yourself stuck and need a quick fix to get automatic configuration back up and running you can disable the global query block list feature in Windows DNS using the following command from a Windows command prompt on your DNS server:

dnscmd /config /enableglobalqueryblocklist 0

Once you’ve fixed things up and stopped using automatic configuration options in your environment just change the “0″ to a “1″ to re-enable this Windows DNS security feature.


written by

The author didn‘t add any Information to his profile yet.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>