ISA2006自动发布设置后,在DNS里面添加WPAD cname记录,发现客户端web无法自动发现isa代理.
nslookup 中查询wpad记录也显示失败。
查阅windows 2008文档后发现,在2008 DNS中添加了一个新的功能 Global Query Block List区域,将WPAD(Web Proxy Automatic Discovery Protocol),ISATAP(Intra-site Tunnel Addressing Protocol)加入了阻止查询区域。
使用命令 dnscmd /config /GlobalQueryBlockList ISATAP将 WPAD记录移除
使用命令 dnscmd /info /GlobalQueryBlockList 检查现在列表记录
通过Nslookup能正常查询wpad记录。
这个设定要在每台windows 2008DNS服务器上执行。
查阅Global Query Block List白皮书,找了些资料。
1.WPAD的查询顺序,客户端浏览程序首先查询DHCP配置,如果失败,再查询DNS记录。
The browser locates this server by querying a DHCP server for the uniform resource locator (URL) of the network's WPAD server. If this query is unsuccessful, the browser attempts to locate the WPAD server by using standard DNS name-resolution queries.2. 因为恶意的用户可以通过注册名字为WPAD的DNS记录来实现发布网路中的伪装代理服务器,所以windows 2008提供了GQBL功能。
3. Global Query Block List 可以针对所有的记录,A, Cname,MX, SRV,但是不针对区域,例如我们创建 wpad.contoso.com的区域,它不会对这个区域组织。
4.dnscmd的一些相关命令
Command
|
Description
|
dnscmd /info /enableglobalqueryblocklist
|
Displays whether the global query block list is enabled. If the block list is enabled, this command returns the value 1. If the block list is not enabled, this command returns the value 0.
|
dnscmd /info /globalqueryblocklist
|
Displays the host names in the current block list, if any.
|
dnscmd /config /enableglobalqueryblocklist [0 | 1]
|
Enables or disables the block list. If you want the DNS Server service to ignore queries for the names in the block list, you set the value of this command to 1. If you want to disable the block list, you set the value of this command to 0. With a value of 0, the DNS Server service does not ignore queries for names in the block list.
|
dnscmd /config /globalqueryblocklist
|
Removes all names from the block list.
|
dnscmd /config /globalqueryblocklist name [name]…
|
Replaces the current block list with a list of the names that you specify. By default, the global query block list contains the following names:
· isatap
· wpad
The DNS Server service can remove either or both of these names when the DNS Server service starts the first time. For more information, see Installation Scenarios for the DNS server role.
|
5.GlobalQueryBlockList相关注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\EnableGlobaQueryBlockList
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList
posted on 2009-03-18 16:48
joyclear 阅读(2112)
评论(0) 编辑 收藏 引用 所属分类:
Windows 2008