The DNS Server role in Windows Server 2008 introduces a global query block list to reduce vulnerability associated with dynamic DNS updates.
If you want to use WPAD with DNS, note the following:
- If WPAD entries are configured in DNS before
the DNS server is upgraded in Windows Server 2008, no action
is required.
- If you configure or remove WPAD after you
deploy the DNS server role on a server running Windows
Server 2008, you must update the block list on all DNS servers
that host the zones affected by the change. The affected zones are
those where you registered the WPAD servers.
Updating the block list
Use the dnscmd command-line tool to manage the global query block list. Open a command line prompt, and then do the following:
- To check whether the global query block is enabled, type the
following:
dnscmd /info /enableglobalqueryblocklist
- To display the host names in the current block list, type the
following:
dnscmd /info /globalqueryblocklist
- To disable the block list and ensure that the DNS Server
service does not ignore queries for names in the block list, type
the following:
dnscmd /config /enableglobalqueryblocklist 0
- To enable the block list and ensure that the DNS Server service
ignores queries for names in the block list, type the
following:
dnscmd /config /enableglobalqueryblocklist 0
- To remove all names from the block list, type the
following:
dnscmd /config /globalqueryblocklist
- To replace the current block list with a list of the names that
you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…
For more information and instructions, see the document "DNS Server Global Query Block List", available for download from Domain Name System at Microsoft TechNet.