I was recently configuring an ISA server for a network support customer including automatic configuration using WPAD. The customer had a 2008 SBS server and a 2003 ISA server (running ISA 2006). I added a "wpad" alias (CNAME) to the DNS server on the SBS box to allow clients to automatically detect the new ISA server. However, when I tried to resolve the entry on the SBS server as well as other hosts on the network, it never would resolve. I tried other CNAME entries on the server, and they all worked fine. I tried removing the entry and reading it, but got the same behavior. I decided to let it sit overnight to see if it was a timing issue. The next day, I still couldn’t resolve "wpad" or "wpad.bofc.local". I started digging and found that the DNS service on Windows Server 2008 has a built-in "block list" for some potentially dangerous DNS names. The default list includes "wpad" and "isatap". Gotcha! Since I wasn’t concerned with blocking any DNS names, I decided to turn off the "block list". I used the following dnscmd command: [more]
dnscmd /config /enableglobalqueryblocklist 0
Other helpful commands when dealing with this include (from http://technet.microsoft.com/en-us/library/cc995158.aspx):
To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist
To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist
To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist
To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…