So I was working on a single site Active Directory environment which had 3 Windows Server 2003 Domain Controllers. A couple weeks ago I built a new physical based Domain Controller, and a second virtual one, these were built in a new shiney Windows Server 2008 R2 build.
All appeared well, the DC’s were replicating nicely and my machine had been using it to resolve it’s DNS for a good couple weeks. So one morning I scheduled a change to the DHCP scope for some user VLAN’s to use the new DNS servers.
Later that morning random users were reporting their Internet access wasn’t working and that they were getting denied pages back from the ISA server. This is because we do not allow general Internet access out for end users unless they’re going through a filtering proxy which the details for are supplied via a WPAD file.
I check the machines out and find that the wpad is indeed set inside Internet Options, and that the web server was indeed up however it wouldn’t download. I open up nslookup and query against an old DNS server for wpad and got the correct IP address of the internal webserver. I then tried a new one and got wpad.co.uk returned rather then our companies webserver.
I then tried using the FQDN for wpad, old server returned fine, new server returned unknown host. I opened up the DNS console and indeed the wpad record existed on all 5 DNS servers on the company network. I deleted and recreated it just to be sure but still got the same results.
After a small amount of googling I find that Microsoft has implemented a new DNS security feature which is to by default black list common DNS names which they consider to be a security threat. So yes that is right your Windows Server 2008 R2 DNS server refuses to respond to wpad encase the location of your wpad file is exposed to a potential attacker! Great work guys because then not even legit users can resolve it.
I can understand not having wpad resolved by the outside world but really I hope there isn’t any Active Directory admins out there who will place there Domain Controller in a position that it is publicly resolvable from the Internet?
Since all our DNS servers are completely internal and no outside user can access them, I figured that any record I create will want to be resolvable internally so I simply disabled the black list. Unfortunately you have to remembe to do this to every DNS server you add but it is quite a quick one line command.
Here is a link to a Technet article: http://technet.microsoft.com/en-us/library/cc816908(WS.10).aspx
