Global DNS Blocklist

After the rebuild of a AD Domain Controller I was wondering why I could not longer get response from WPAD, when it hit me like a ton of bricks….. Global DNS Blacklist, this is a “feature” in some Microsoft products, and in this case specifically Server 2008 R2 that blocks the query of specific DNS names (isatap and wpad by default, although you can add and remove names to the list), apparently for security so that the address cannot be used to gain unauthorized access to the system through spoofing, all well and good, and I am all for added security but a number of browsers require it for automatic proxy detection, hence we  have to disable it.

Thankfully that is easy enough through an ADMINISTRATIVE command prompt using the following commands

If you want to check that the DNS blocklist is enabeld, type; dnscmd /info /enableglobalqueryblocklist if it displays 1, its enabled, if 0 its disabled nice and simple, but wait what if you want to see the contents of the blocklist, again simple through an administrative command prompt (lets assume from now on in this article that all command prompts are administrative shall we) simply type; dnscmd /info /globalqueryblocklist this will make the blocklist print out onto your screen

Now how to disable it, easy simply input the following commands

  1. dnscmd /config /globalqueryblocklist (Optional, this clears the blocklist that way if something happens and it is re-activated it is empty)
  2. dnscmd /config /enableglobalqueryblocklist 0

The second command there is the one that does the actual disabling, conversely if you want to enable it you should type dnscmd /config /enableglobalqueryblocklist 1. As an asside, if you want to ADD an item to the blocklist this is done by typing the following: dnscmd /config /globalqueryblocklist name where name is the item you want to add to the blocklist.

 

Also dont forget to ensure that the mimetype for the file is defined as “application/x-ns-proxy-autoconfig”

Written By Justin

2 Comments on “Global DNS Blocklist

  1. Arran Reply

    September 26, 2012 at 9:31

    Interesting… What’s in this list?

    • ShadowPeo Reply

      October 8, 2012 at 8:31

      Just a list of strings stored within the Windows Registry as best I can tell, it just has two names in it (isatap and wpad) and basically anything in that list the DNS servers will not respond to if the function in enabled, you can clear the list, disable the function add items to the list or whatever, just be aware it needs to reboot the service to update the settings

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − 11 =