Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2.Client computers run either Windows 7 or Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named
Clients. A Group Policy object (GPO) named GPO1 is linked to the Clients OU. All of the client
computers use a DNS server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to
the contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?
A.
Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.
B.
Configure the Network Options Group Policy preference of GPO1.
C.
Run the Add-DnsServerResourceRecord cmdlet on Server1.
D.
Configure the DNS Client Group Policy setting of GPO1.
Explanation:
The Set-DnsServerGlobalQueryBlockList command will change the settings of a global query block list
which you can use to ensure that client computers locate the ISATAP router.
Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents
some arbitrary machine from registering the DNS name of WPAD. This is a good security feature, as
it prevents someone from just joining your network, and setting himself up as a proxy. The dynamic
update feature of Domain Name System (DNS) makes it possible for DNS client computers to register
and dynamically update their resource records with a DNS server whenever a client changes its
network address or host name. This reduces the need for manual administration of zone records.
This convenience comes at a cost, however, because any authorized client can register any unused
host name, even a host name that might have special significance for certain Applications. This can
allow a malicious user to take over a special name and divert certain types of network traffic to that
user’s computer. Two commonly deployed protocols are particularly vulnerable to this type of
takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel
Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are
configured to use them are vulnerable to the takeover that DNS dynamic update enables. Most
commonly, ISATAP hosts construct their PRLs by using DNS to locate a host named isatap on the
local domain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries
DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com. In its default
configuration, the Windows Server 2008 DNS Server service maintains a list of names that, in effect,
it ignores when it receives a query to resolve the name in any zone for which the server is
authoritative. Consequently, a malicious user can spoof an ISATAP router in much the same way as a
malicious user can spoof a WPAD server: A malicious user can use dynamic update to register the
user’s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled
computers on the network. The initial contents of the block list depend on whether WPAD or ISATAP
is already deployed when you add the DNS server role to an existing Windows Server 2008
deployment or when you upgrade an earlier version of Windows Server running the DNS Server
service. Add- DnsServerResourceRecord – The Add-DnsServerResourceRecordcmdlet adds a
resource record for a Domain Name System (DNS) zone on a DNS server. You can add different types
of resource records. Use different switches for different record types. By using this cmdlet, you can
change a value for a record, configure whether a record has a time stamp, whether any
authenticated user can update a record with the same owner name, and change lookup timeoutvalues, Windows Internet Name Service (WINS) cache settings, and replication settings. SetDnsServerGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockListcmdlet changes settings of
a global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in
the list of names that the DNS server does not resolve with the names that you specify. If you need
the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web
Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol
(ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.
References:
Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 4: Deploying domain
controllers, Lesson 4: Configuring IPv6/IPv4 Interoperability, p. 254-256
http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649874.aspx
http://technet.microsoft.com/en-us/library/jj649909.aspx