Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012.
Client computers run either Windows 7 or Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A
Group Policy object (GPO) named GP01 is linked to the Clients OU. All of the client computers use a DNS
server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the
contoso.com DNS zone.
You need to ensure that the client computers locatethe ISATAP router.
What should you do?
A.
Run the Add-DnsServerResourceRecordcmdlet on Server1.
B.
Configure the DNS Client Group Policy setting of GPO1.
C.
Configure the Network Options Group Policy preference of GPO1.
D.
Run the Set-DnsServerGlobalQueryBlockListcmdlet on Server1.
Explanation:
Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents somearbitrary
machine from registering the DNS name of WPAD.
This is a good security feature, as it prevents someone from just joining your network, and setting himself up
asa proxy.
The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers
toregister and dynamically update their resource records with a DNS server whenever a client changes
itsnetwork address or host name.
This reduces the need for manual administration of zone records. This convenience comes at a cost, however,
because any authorized client can register any unused host name, even a host name that might havespecial
significance for certain Applications. This can allow a malicious user to take over a special nameand divert
certain types of network traffic to that user’s computer.
Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web ProxyAutomatic
Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP).
Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to
thetakeover that DNS dynamic update enables.
Most commonly, ISATAP hosts construct their PRLs byusing DNS to locate a host named isatap on the
localdomain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to
obtainthe IPv4 address of a host named isatap.corp.contoso.com.
In its default configuration, the Windows Server 2008 DNS Server service maintains a list of names that,
ineffect, it ignores when it receives a query to resolve the name in any zone
for which the server is authoritative.
Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user
canspoof a WPAD server: A malicious user can use dynamic update to register the user’s own computer as
acounterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network.
The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you addthe
DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier versionof
Windows Server running the DNS Server service.
Add-DnsServerResourceRecord – The Add-DnsServerResourceRecordcmdlet adds a resource record for
aDomain Name System (DNS) zone on a DNS server.
You can add different types of resource records. Use different switches for different record types.
By using this cmdlet, you can change a value for a record, configure whether a record has a time stamp,
whether any authenticated user can update a record with the same owner name, and change lookup
timeoutvalues, Windows Internet Name Service (WINS)cache settings, and replication settings.
Set-DnsServerGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockListcmdlet changes settingsof a
global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of
names that the DNS server does not resolve with thenames thatyou specify.
If you need the DNS server to resolve names such asISATAP and WPAD, remove these names from the list.
Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol
(ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.
http://technet.microsoft.com/en-us/library/jj649857(v=wps.620).aspx http://technet.microsoft.com/en-us/library/
cc794902%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/security/bulletin/ms09-008 http://www.cve.
mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093
Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and
Server 2008, whendynamic updates are enabled, does not restrict registration of the “wpad” hostname, which
allows remoteauthenticated users to hijack the Web Proxy Auto- Discovery (WPAD) feature, and conduct manin-the-middleattacks by spoofing a proxy server, via a Dynamic Update request for this hostname, aka “DNS
ServerVulnerability in WPAD Registration Vulnerability,” a related issue to CVE-2007-1692.
I think the answer is C:”Configure the Network Options Group Policy preference of GPO1″
The question is “How the clients discover ISATAP router”
Look this link: http://techontip.wordpress.com/2013/04/02/windows-2012-direct-access-isatap-router/
D
Managing the Global Query Block List
The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administration of zone records
http://technet.microsoft.com/nl-nl/library/cc794902%28v=ws.10%29.aspx
question represents only single domain, so DNS search suffix is not necessary in network properties. It will find it by primary domain suffix which was obtained when the computer joined the domain (System properties/General/Computer Name/More).
Global Query Block List(blocks DNS query for common preset host name for security risk. ex. WPAD.contoso.com, isatap.contoso.com) is on by default. If you want to see what’s in the list;
c:>dnscmd /info /globalqueryblocklist
In order to disable Global Query Block List,
dnscmd /config /enableglobalqueryblocklist 0
or
in PS, set-dnsserverglobalqueryblocklist -enable $false
By disabling Global Query Block List, DNS server will respond to a client’s DNS query to locate ISATAP router.
918691 986500Good post. I learn something a lot more challenging on different blogs everyday. It will always be stimulating to read content material from other writers and practice a bit something from their store. I
Here is an explanation of why D is correct.
http://blogs.technet.com/b/tomshinder/archive/2011/04/19/does-removing-isatap-for-the-dns-block-list-impact-security.aspx