Does Removing ISATAP for the DNS Block List Impact Security?

  • Article

imageIf you choose to deploy ISATAP to support your DirectAccess deployment, one of the things you need to do is remove the name ISATAP from the DNS block list if you’re using a Windows DNS server running Windows Server 2003 SP2 or above. By default, these DNS servers will not resolve queries for the names WPAD and ISATAP. Even if there is a resource record for WPAD or ISATAP in DNS, the DNS server will not return a response for those names if they are on the DNS query block list.

The reason for this is that it’s possible for a rogue device to dynamically register these names in DNS. If that happens, there is the possibility that client systems will auto-configure themselves to use the rogue device as their web proxy, or configure their ISATAP adapters to use the rogue device as their ISATAP gateway. Both of these scenarios are enabled by the fact that Internet Explorer uses auto-discovery by default to configure the web proxy, and the ISATAP adapter is enabled by default if the name ISATAP can be resolved and the client can contact an ISATAP router.

If you check this link you will find a document that contains the following statement:

“By default, the DNS Server service in Windows Server 2008 and later blocks name resolution for the name ISATAP through the DNS Global Query Block List. To use ISATAP on your intranet, you must remove the ISATAP name from the list for all DNS servers running Windows Server 2008 and later. For more information, see Remove ISATAP from the DNS Global Query Block List in the DirectAccess Deployment Guide..”

The question then is “if ISATAP responses from the DNS server is considered unsecure, then isn’t deploying ISATAP on the network considered unsecure?”image

The answer is “no”. The reason for this is that when you deploy ISATAP on your network and enable the DNS server to answer queries for ISATAP, you will enter a static Host (A) record for ISATAP. When you configure the static DNS resource record, it will not be overwritten by dynamic registrations by potential rogue hosts. Therefore, the security implications of removing ISATAP from the DNS block list are mitigated since no one can dynamically overwrite the static ISATAP record you created.

However, if you decide that you don’t want to use ISATAP, or at least don’t want to use DNS to inform ISATAP hosts of the ISATAP router, then you should put ISATAP back into the DNS block list and remove the ISATAP resource record from your DNS server.

You can find out more about the DNS query block list HERE.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder