RustDesk is a remote desktop software, the open source TeamViewer / AnyDesk alternative. You have full control of your data, with no concerns about security since it only sends data to a server that you setup. You can use a public rendezvous/relay server or self-host one. In this step by step guide I will show you how to install RustDesk on your Synology NAS using Docker and DSM 7.2 I've based a significant amount of this guide on https://drfrankenstein.co.uk guides. First, Follow the following 4 guides: Step 0: Docker, Memory Recommendations and Limitations Step 1: Directory Setup Guide Step 2: Setting up a restricted Docker user Step 3: Setting up a Docker Bridge Network Following these guides will give you a nice Docker folder structure, a restricted user to run your containers on (this is more secure) and a dedicated network for your containers. Lets Begin First we need to set up some folders for RustDesk to save its configuration files and also where the Project will save th...
At work, we're doing a POC (proof of concept) with a web-proxy, specifically Ironport Websecurity Appliance. Like most all proxies, you have to get the traffic from the client to the proxy. It supports transparent traffic redirection, but we're looking at using WPAD instead.
However, when I created the WPAD DNS entry, it didn't resolve.
C:\>ping wpad
Ping request could not find host wpad. Please check the name and try again.
C:\>nslookup wpad <DNSServer1>
Server: <DNSServer1>.domain.net
Address: <IPofDNSServer1>
*** <DNSServer1>.domain.net can't find wpad: Non-existent domain
This of course, is a big problem. It took a little investigating, but I found the cause.
However, when I created the WPAD DNS entry, it didn't resolve.
C:\>ping wpad
Ping request could not find host wpad. Please check the name and try again.
C:\>nslookup wpad <DNSServer1>
Server: <DNSServer1>.domain.net
Address: <IPofDNSServer1>
*** <DNSServer1>.domain.net can't find wpad: Non-existent domain
This of course, is a big problem. It took a little investigating, but I found the cause.
Windows Server 2008 introduced a new feature, called "Global Query Block list", which prevents some arbitrary machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone from just joining your network, and setting himself up as a proxy.
However, my DNS server is Windows 2003?
It doesn't have the "Global Query Block List".
Well, when the documentation was written, it didn't, but a DNS service patch Microsoft published last year DID!
As far as I can tell, http://support.microsoft.com/kb/961063 included the "Global Query Block List", it's not supposed to be enabled by default but mine was, and I did not intentionally turn it on, But here's the best news, not all the pieces of the feature made it down to 2003. The TechNet article: http://technet.microsoft.com/en-us/library/cc995158.aspx shows how to manipulate the "Global Query Block List", and sure enough, the command of:
dnscmd /info /enableglobalqueryblocklist
Query result:
Dword: 1 (0000000000000001)
Command completed successfully.
Shows the block list is enabled, but the command:
dnscmd /info /globalqueryblocklist Info query failed status = 9553 (0x00002551) Command failed: DNS_ERROR_INVALID_PROPERTY 9553 (00002551)
Which is supposed to show you what's in the block list fails.
Great.
So there are two options here:
1. Turn off the "Global Query Block List"
2. Remove WPAD from the "Global Query Block List"
As far as I can tell, http://support.microsoft.com/kb/961063 included the "Global Query Block List", it's not supposed to be enabled by default but mine was, and I did not intentionally turn it on, But here's the best news, not all the pieces of the feature made it down to 2003. The TechNet article: http://technet.microsoft.com/en-us/library/cc995158.aspx shows how to manipulate the "Global Query Block List", and sure enough, the command of:
dnscmd /info /enableglobalqueryblocklist
Query result:
Dword: 1 (0000000000000001)
Command completed successfully.
Shows the block list is enabled, but the command:
dnscmd /info /globalqueryblocklist Info query failed status = 9553 (0x00002551) Command failed: DNS_ERROR_INVALID_PROPERTY 9553 (00002551)
Which is supposed to show you what's in the block list fails.
Great.
So there are two options here:
1. Turn off the "Global Query Block List"
2. Remove WPAD from the "Global Query Block List"
Turning off "Global Query Block List" is easy, just run the command:
dnscmd /config /enableglobalqueryblocklist 0
That's it. It's off. No service restart required. But what if you turned it off and want to turn it back on? You can't run the opposite command of:
dnscmd /config /enableglobalqueryblocklist 0
Why not? Cause Microsoft goofed in they're documentation. It's actually the same command as to turn it off! The correct command is:
dnscmd /config /enableglobalqueryblocklist 1
To remove WPAD, but leave the Blocklist enabled, is a little more difficult
The "Global Query Block List " is stored here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList
Mine had the entries of WPAD and ISATAP. Remove the WPAD entry and restart the DNS service for it to reload the Blocklist. Note, there is a trailing newline character after ISATAP, it's best to leave it there.
dnscmd /config /enableglobalqueryblocklist 1
To remove WPAD, but leave the Blocklist enabled, is a little more difficult
The "Global Query Block List " is stored here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList
Mine had the entries of WPAD and ISATAP. Remove the WPAD entry and restart the DNS service for it to reload the Blocklist. Note, there is a trailing newline character after ISATAP, it's best to leave it there.
Note, there is a command line that is supposed to edit this blocklist, but again it's broken in the 2003 implementation, hopefully a later patch, or Service pack will fix these features. Make sure to makes changes to all your DNS services.
This is a per machine setting, not a zone setting, so if your using Active Directory Integrated zones, it won't replicate this change.
Nice helped me thanks.
ReplyDeleteGreat article explaining what is happening and how to correct the issue. Thank you.
ReplyDeleteThis saved my arse this morning thanks, I was at a complete loss why my new DNS server wasn't resolving wpad when I was staring at the record right in front of me!
ReplyDeletegood work :-)
ReplyDeleteNice article, helped me get it right. I was a loss why my Win 2012 DNS server can resolve anything but wpad.
ReplyDeleteGreat help Thank You
ReplyDeleteYou saved my ... THANKS!
ReplyDeletestill applicable in WS2016, tyvm
ReplyDelete9 years after writing this post and it is STILL relevant! Thanks for this.
ReplyDeleteWe are using DSC to manage this setting on our DNS (GC) servers. Just makes life easier. Thank you for the article. It helped a lot.
ReplyDelete