Saturday, January 26, 2008

Global DNS Query Block List in Windows Server 2008

Looking over at the TechNet DNS sub-site, I've been reading a neat document: DNS Server Global Query Block List. The document describes a new feature in WS08's DNS Server: the Global Query Block List.

Some network protocols rely on DNS name resolution  to resolve specific well known host names. Two examples are WPAD and ISATAP. Malicious users could register hosts computers using these names and thus pose as a legitimate server.

Windows uses the web proxy auto-discovery protocol to discover a local web proxy. The client queries DNS for wpad.<domain> where <domain> is the computer's domain name (eg for a computer in the domain).

Intra-site Automatic Tunnel Addressing Protocol (ISATAP) is part of the set of protocols used to aid in IPv6 migration. ISATAP tunnels IPv6 traffic in IPv4 packets. The IPv6 traffic comes from an IPv6 network to the ISATAP server for for transmission across IPv4 only networks. Essentially, ISATAP servers encapsulate inbound IPv6 traffic into IPV4 traffic and passes it to another ISATAP server for conversion back to IPv6 and transmission to another IPv6 aware host. ISATAP does not provide for automatic ISATAP router discovery. ISATAP hosts use a potential routers list (PRL) to discover available ISATAP routers, typically  by using DNS to locate a host named isatap on the local domain (eg

In the case of both these protocols, if a malicious user was to rename their system it could then appear to be a genuine server, to the potential detriment of the user. The result may just be a denial of service, but could be worse. And even if your network doesn't use these protocols, your clients my be trying to use them anyway. In that case, they are vulnerable to the hijacking that DNS dynamic update enables.

The Server Block list prevents such hijacking by refusing to reply to a query. This renders the dynamic update useless. If you subsequently implement either protocol, then just remove the relevant name from the block list. Before doing this, you should manually enter the relevant RRs into DNS, and adjust the ACLs to remove the miscreant's ability to hijack the name.

And of course, you can use this same technique in your own environment, perhaps by protecting a computer called accounting, or manufacturing or something similar.

To configure the DNS query block list, you use DNSCMD as shown here:

PS C:\foo> dnscmd /config /globalqueryblocklist wpad isatap gratefuldeadmusiclibrary

Registry property globalqueryblocklist successfully reset.
Command completed successfully.

To view the current block list, use the /info switch with DNSCMD as shown here:

PS C:\foo> dnscmd /info /globalqueryblocklist

Query result:
String:  wpad
String:  isatap
String:  gratefuldeadmusiclibrary

Command completed successfully.

A neat feature!

No comments: