ISATAP

By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008 use the global query block list to block the resolution of the name ISATAP. To allow name resolution for the ISATAP name, you must remove ISATAP from the global query block list of the DNS Server service for each DNS server on your intranet running Windows Server 2008 R2 or Windows Server 2008.To complete these procedures, you must be a member of the local Administrators group on the DNS server, or otherwise be delegated permissions to modify registry values on the DNS server.= To remove ISATAP from the DNS global query block list on a DNS server Click Start, type regedit.exe, and then press ENTER. In the console tree, open Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters. In the contents pane, double-click the GlobalQueryBlockList value. In the Edit Multi-String dialog box, remove the name ISATAP from the list, and then click OK. Start a command prompt as an administrator. In the Command Prompt window, run the following commands: net stop dns net start dns

The Set-DnsServerGlobalQueryBlockList cmdlet changes settings of a global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS server does not resolve with the names that you specify.If you need the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.

New Page