Re: Proxy detection for IPv6 vs. Legacy IP



Bjørn Mork <bjorn mork no> writes:

Please don't.  WPAD via DNS is a security nightmare.  Have your friendly
DNS resolver operator send over some query logs for wpad host names, and
you'll quickly realize that there is no end to the attack vectors.  The
basic problem is that there is no way to establish a "safe" base
domain. And if there were, there would be no way to know how far up the
tree is safe. Or if dynamic registration of "wpad" is allowed within
that domain, ref
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093
Might be "fixed" in Windows, but how about other dynamic zones?

If anyone is still interested, I just happended to read RFC5507 for
other reasons and stumbled across the section "4. Zone Boundaries are
Invisible to Applications":
https://tools.ietf.org/html/rfc5507#section-4

Which is a pretty extensive explanation of why the WPAD DNS design is
wrong, without even mentioning WPAD :)

WPAD in DNS is best forgotten.



Bjørn


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]