The Global Query Block List is a feature of the DNS Service in Windows 2008 discussed on TechNet.

However, although it is advertised of as a feature of Windows 2008 DNS it is present in Windows 2003 from DNS version 5.2.3790.4460 and above, released with KB 961063.

To enable, disable, or configure the list requires modifications in the Registry for Windows 2003.

Enabling or Disabling the Global Query Block List

Key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
Name EnableGlobalQueryBlockList
Type REG_DWORD (DWORD Value)
Data Enable: 1; Disable: 0

The default is disabled.

Managing the Global Query Block List

Key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
Name GlobalQueryBlockList
Type REG_MULTI_SZ (Multi-String Value)
Data wpad isatap

Note that wpad and isatap are default values when enabling the block list on Windows 2008, they are included here as an example.

As this is a registry change it should be applied to all other DNS servers for consistent behaviour, it will not replicate automatically.

When a name is blocked

If a name is blocked by the Global Query Block List the DNS request for the name will Time Out and Event ID 6268 (see below) will be logged in the DNS Server Event Log.

[code lang=”plain”]
Type: Error
Source: DNS
Event ID: 6268

The global query block list is a feature that prevents attacks on your
network by blocking DNS queries for specific host names. This feature
has caused the DNS server to fail a query with error code NAME ERROR
for wpad.somedomain.example. even though data for this DNS name exists
in the DNS database. Other queries in all locally authoritative zones
for other names that begin with labels in the block list will also fail,
but no event will be logged when further queries are blocked until the
DNS server service on this computer is restarted. See product documentation
for information about this feature and instructions on how to configure it.

Below is the current global query block list (this list may be truncated
in this event if it is too long):
wpad
isatap

3 Comments

  1. Good entry Chris, I knew this was an obscure subject when no one responded to you on activedir today.

    This is why you are one of the top DNS guys around. Definitely #1 on EE.

    Talk to you later

    Mike

    Reply

  2. We can also enable and disable the global query block list using the following commands:

    1.To check whether the global query block is enabled, type the following:
    dnscmd /info /enableglobalqueryblocklist

    2.To display the host names in the current block list, type the following:
    dnscmd /info /globalqueryblocklist

    3.To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
    dnscmd /config /enableglobalqueryblocklist 0

    4.To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
    dnscmd /config /enableglobalqueryblocklist 0

    5.To remove all names from the block list, type the following:
    dnscmd /config /globalqueryblocklist

    6.To replace the current block list with a list of the names that you specify, type the following:
    dnscmd /config /globalqueryblocklist name [name]…

    Reply

  3. Pingback: Sista's Blog » Installazione del proxy server Squid in ambiente Windows – Parte 2/2

  4. Pingback: Installazione del proxy server Squid in ambiente Windows – Parte 2/2 | Datacen - Soluzioni informatiche

Leave a Reply

Your email address will not be published. Required fields are marked *