How to: Make my DNS server resolve my WPAD entry for my proxy server and what is the DNS Block List?
How to: Make my DNS server resolve my WPAD entry for my proxy server and what is the DNS Block List?
I’ve been working on setting up my corporate network to use Microsoft’s TMG proxy in order to better handle the traffic (restricting sites, etc). And while trying to configure the proxy’s automatic detection you come across 3 options:
- Using Active Directory
- Using DHCP
- Using DNS (WPAD)
So at the beginning the Active Directory option although recommended seemed like a pain. Really obscure options are just not what I look forward to, as I’ll forget them and managing them becomes a real pain. The next two options were more straightforward. DHCP did require adding additional setting to the server while DNS was as simple as adding a new entry. Figured I would do both to have some sort of redundancy on the detection.
I had some issues with the DHCP setting and thats when I realised the DNS was not working correctly to set up the proxy. I executed NSLookup and query for the WPAD entry on the DNS server… not found. I was very confused, I had made sure I had a static record pointing to the correct ip address for the WPAD.domain.local entry. I just fixed my DHCP and decided to live in ignorance for ever until I came across this: The DNS Block List.
Protocols such as WPAD use the DNS dynamic update feature, which enables DNS client computers to register and dynamically update resource records when clients change a network address or host name. The dynamic update feature makes clients vulnerable to hijacking. For example, a malicious user could register a computer as a WPAD server and direct all WPAD queries to it. No system administrator intervention is required.
The DNS Server role in Windows Server 2008 introduces a global query block list to reduce this vulnerability risk. This block list behaves as follows:
- After installation or upgrade, the DNS Server service enumerates the zones for which it is authoritative. If it finds a host (A or AAAA) resource record for a host named wpad, the corresponding name is removed from the block list before the list is stored in the registry. This behavior does not affect clients using WPAD.
- If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.
(Obtained from Technet)
So at this point I am like great… back to obscure settings not easily managed by a GUI. I had already researched what I needed in order to remove the WPAD from the DNS block list when I decided maybe I should leave it the way it is to prevent any issues that could arise from said vulnerability. After all, DHCP is working fine and you can set the TMG client to use a static IP address for its proxy. At this point considering the complications and risks involved in using a DNS server to set up your proxy I would recommend going with the Active Directory approach as suggested by Microsoft and using DHCP as a backup.
Regardless, below are a few Windows Powershell commands that can help you manage the DNS Block list and if you want remove WPAD from said list. I hope this helps!
Use the dnscmd command-line tool to manage the global query block list. Open a command line prompt, and then do the following:
- To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist
- To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist
- To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
- To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
- To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist
- To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…
For more information and instructions, see the document “DNS Server Global Query Block List”, available for download from Domain Name System at Microsoft TechNet.
(Obtained from Technet)
Related articles
Love
Can we use Let's Encrypt, the free and open certificate authority?
Hola! gracias por la info, me sirvió el comando sacandole el nombre del server. En mi caso, fue una migración…
Yes 3rd option helped me too. I removed the WC key Values from config file then started working.
I know this is from 2014. But really, thank you!