Windows 2003 DNS and the Global Query Block List
The Global Query Block List is a feature of the DNS Service in Windows 2008 discussed on TechNet.
However, although it is advertised of as a feature of Windows 2008 DNS it is present in Windows 2003 from DNS version 5.2.3790.4460 and above, released with KB 961063.
To enable, disable, or configure the list requires modifications in the Registry for Windows 2003.
Enabling or Disabling the Global Query Block List
| Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters |
| Name | EnableGlobalQueryBlockList |
| Type | REG_DWORD (DWORD Value) |
| Data | Enable: 1; Disable: 0 |
The default is disabled.
Managing the Global Query Block List
| Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters |
| Name | GlobalQueryBlockList |
| Type | REG_MULTI_SZ (Multi-String Value) |
| Data | wpad isatap |
Note that wpad and isatap are default values when enabling the block list on Windows 2008, they are included here as an example.
As this is a registry change it should be applied to all other DNS servers for consistent behaviour, it will not replicate automatically.
When a name is blocked
If a name is blocked by the Global Query Block List the DNS request for the name will Time Out and Event ID 6268 (see below) will be logged in the DNS Server Event Log.
Type: Error Source: DNS Event ID: 6268 The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.somedomain.example. even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it. Below is the current global query block list (this list may be truncated in this event if it is too long): wpad isatap
Related posts:
- Bookmarks Cisco DNS DNS Best Practices, Network Protections, and Attack Identification...
Related posts brought to you by Yet Another Related Posts Plugin.
Posted by Mike Kline on 21.05.09 at 12:56 pm
Good entry Chris, I knew this was an obscure subject when no one responded to you on activedir today.
This is why you are one of the top DNS guys around. Definitely #1 on EE.
Talk to you later
Mike
Posted by Miturupesh on 21.05.09 at 12:56 pm
We can also enable and disable the global query block list using the following commands:
1.To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist
2.To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist
3.To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
4.To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
5.To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist
6.To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…
Posted by Chris on 21.05.09 at 12:56 pm
Absolutely, provided the version of dnscmd in use supports the syntax.
Chris