Answer :
- Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.
Explanation :
Windows Server 2008 introduced a new feature, called "Global Query Block list", which prevents
somearbitrary machine from registering the DNS name of WPAD. This is a good security feature,
as it prevents someone from just joining your network, and setting himself up asa proxy. The
dynamic update feature of Domain Name System (DNS) makes it possible for DNS client
computers toregister and dynamically update their resource records with a DNS server whenever
a client changes itsnetwork address or host name. This reduces the need for manual administration
of zone records. This convenience comes at a cost, however,because any authorized client can
register any unused host name, even a host name that might havespecial significance for certain
Applications. This can allow a malicious user to take over a special nameand divert certain types
of network traffic to that user's computer. Two commonly deployed protocols are particularly
vulnerable to this type of takeover: the Web ProxyAutomatic Discovery Protocol (WPAD) and the
Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network does not deploy these
protocols, clients that are configured to use them are vulnerable to thetakeover that DNS dynamic
update enables. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate a host
named isatap on the localdomain. For example, if the local domain is corp.contoso.com, an
ISATAP-enabled host queries DNS to obtainthe IPv4 address of a host named
isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 DNS Server service
maintains a list of names that, ineffect, it ignores when it receives a query to resolve the name in
any zone for which the server is authoritative. Consequently, a malicious user can spoof an ISATAP
router in much the same way as a malicious user canspoof a WPAD server: A malicious user can
use dynamic update to register the user's own computer as acounterfeit ISATAP router and then
divert traffic between ISATAP-enabled computers on the network. The initial contents of the block
list depend on whether WPAD or ISATAP is already deployed when you addthe DNS server role to
an existing Windows Server 2008 deployment or when you upgrade an earlier versionof Windows
Server running the DNS Server service. Add- DnsServerResourceRecord - The Add-
DnsServerResourceRecordcmdlet adds a resource record for aDomain Name System (DNS) zone
on a DNS server. You can add different types of resource records. Use different switches for
different record types. By using this cmdlet, you can change a value for a record, configure whether
a record has a time stamp,whether any authenticated user can update a record with the same
owner name, and change lookup timeoutvalues, Windows Internet Name Service (WINS) cache
settings, and replication settings. Set-DnsServerGlobalQueryBlockList - The Set-
DnsServerGlobalQueryBlockListcmdlet changes settingsof a global query block list on a Domain
Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS
server does not resolve with the names thatyou specify. If you need the DNS server to resolve
names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic
Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol(ISATAP) are two
commonly deployed protocols that are particularly vulnerable to hijacking.
