WPAD and "Global Query Block List"

Hi,
We would like to use the “Automatically detect settings� option of IE
combined with WPAD option configured on our Proxy servers and DNS server, but
going trough the following article
(http://technet.microsoft.com/en-us/l.../cc794902.aspx)
I see that there seems be some risks using that, not being a DNS specialist
I would to know if there are ways to overcome the issues mentioned in the
article ?

Thanks in advance for your assistance.
Luca

You never specified exactly "what" problem you are talking about. I assume
it was this one:

" malicious user to accomplish this without requiring the intervention of a
DNS system administrator simply by giving a computer the name wpad and then
connecting it to the network. As long as there is no other computer in the
zone with the same name, the computer of the malicious user can register its
name with the DNS server that is authoritative for its zone and then direct
all WPAD queries to itself"

This is not a problem that you have when you use WPAD,...this is a problem
you can have if you *don't* use WPAD because the default setting in IE is to
automatically detect the proxy (Firefox is the opposite). So if you are
*not* actually using WPAD then there is no Host Record (or CNAME) on the DNS
called "wpad" which leaves an opening for the user to do what the above
descibed.

But when you *are* using WPAD then you would have a CNAME in DNS called
"wpad" that points to the Host Record of the Proxy. The user would not be
able to do what is decribed above because it would cause a "duplicate name"
on the network and the DNS would not register his machine with that
name,...that is even more so obvious when you consider that the real wpad
entry in DNS is Static and can't be dynamically over-written..

The Global Query Block list is a list of DNS names that are refused (wpad
being one of them be default in Server 2008),...how is that going to do you
any good? You said you wanted to use WPAD,...therefore you can not block
it,...and still use it at the same time.

Also if you are going to use WPAD then you need to do it with both DNS and
DHCP. You cannot change it from the default port "80",..so don't be tempted
to try as some material you read may suggest. You need both because not
all clients will work correctly with either one,...some will need the DNS
one while other will use the DHCP one.

1. In DNS use a CNAME

2. In DHCP make sure the URL uses the CNAME (wpad.domain.loc) and not the
actual name of the proxy.

3. If you ever change proxys (or Arrays virtual IP#s) all you have to do is
adjust the CNAME and will not have to touch the DHCP WPAD setup.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------



"Luca" <> wrote in message
news:09A8DF97-1623-43A0-B4F3-...
> Hi,
> We would like to use the “Automatically detect settings� option of IE
> combined with WPAD option configured on our Proxy servers and DNS server,
> but
> going trough the following article
> (http://technet.microsoft.com/en-us/l.../cc794902.aspx)
> I see that there seems be some risks using that, not being a DNS
> specialist
> I would to know if there are ways to overcome the issues mentioned in the
> article ?
>
> Thanks in advance for your assistance.
> Luca
>

Thanks Phillip,
Your response was most useful, may I ask another question:
I see that we can use DNS, DHCP or both to setup the WPAD option, I am also
told that DNS should be sufficient. Question is if DNS is sufficient (?) and
we have it confgured then why would or should we need to configure also the
DHCP for this ?
Luca.

"Phillip Windell" wrote:

> You never specified exactly "what" problem you are talking about. I assume
> it was this one:
>
> " malicious user to accomplish this without requiring the intervention of a
> DNS system administrator simply by giving a computer the name wpad and then
> connecting it to the network. As long as there is no other computer in the
> zone with the same name, the computer of the malicious user can register its
> name with the DNS server that is authoritative for its zone and then direct
> all WPAD queries to itself"
>
> This is not a problem that you have when you use WPAD,...this is a problem
> you can have if you *don't* use WPAD because the default setting in IE is to
> automatically detect the proxy (Firefox is the opposite). So if you are
> *not* actually using WPAD then there is no Host Record (or CNAME) on the DNS
> called "wpad" which leaves an opening for the user to do what the above
> descibed.
>
> But when you *are* using WPAD then you would have a CNAME in DNS called
> "wpad" that points to the Host Record of the Proxy. The user would not be
> able to do what is decribed above because it would cause a "duplicate name"
> on the network and the DNS would not register his machine with that
> name,...that is even more so obvious when you consider that the real wpad
> entry in DNS is Static and can't be dynamically over-written..
>
> The Global Query Block list is a list of DNS names that are refused (wpad
> being one of them be default in Server 2008),...how is that going to do you
> any good? You said you wanted to use WPAD,...therefore you can not block
> it,...and still use it at the same time.
>
> Also if you are going to use WPAD then you need to do it with both DNS and
> DHCP. You cannot change it from the default port "80",..so don't be tempted
> to try as some material you read may suggest. You need both because not
> all clients will work correctly with either one,...some will need the DNS
> one while other will use the DHCP one.
>
> 1. In DNS use a CNAME
>
> 2. In DHCP make sure the URL uses the CNAME (wpad.domain.loc) and not the
> actual name of the proxy.
>
> 3. If you ever change proxys (or Arrays virtual IP#s) all you have to do is
> adjust the CNAME and will not have to touch the DHCP WPAD setup.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Technet Library
> ISA2004
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
> ISA2006
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
>
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>
> "Luca" <> wrote in message
> news:09A8DF97-1623-43A0-B4F3-...
> > Hi,
> > We would like to use the “Automatically detect settings� option of IE
> > combined with WPAD option configured on our Proxy servers and DNS server,
> > but
> > going trough the following article
> > (http://technet.microsoft.com/en-us/l.../cc794902.aspx)
> > I see that there seems be some risks using that, not being a DNS
> > specialist
> > I would to know if there are ways to overcome the issues mentioned in the
> > article ?
> >
> > Thanks in advance for your assistance.
> > Luca
> >
>
>
>

"Luca" <> wrote in message
news:508D295B-0BA3-41C8-BAE5-...
> Thanks Phillip,
> Your response was most useful, may I ask another question:
> I see that we can use DNS, DHCP or both to setup the WPAD option, I am
> also
> told that DNS should be sufficient. Question is if DNS is sufficient (?)
> and
> we have it confgured then why would or should we need to configure also
> the
> DHCP for this ?
> Luca.

You didn't read my whole reply.

I already answered that.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Oops, yes you are right I missed that part, by the way, when you say "You
need both because not all clients will work correctly with either one...",
can you please give some examples ?
Thanks for your help, Luca.

"Phillip Windell" wrote:

> "Luca" <> wrote in message
> news:508D295B-0BA3-41C8-BAE5-...
> > Thanks Phillip,
> > Your response was most useful, may I ask another question:
> > I see that we can use DNS, DHCP or both to setup the WPAD option, I am
> > also
> > told that DNS should be sufficient. Question is if DNS is sufficient (?)
> > and
> > we have it confgured then why would or should we need to configure also
> > the
> > DHCP for this ?
> > Luca.
>
> You didn't read my whole reply.
>
> I already answered that.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"Luca" <> wrote in message
news70DA2AD-6BBA-4C7D-85B8-...
> Oops, yes you are right I missed that part, by the way, when you say "You
> need both because not all clients will work correctly with either one...",
> can you please give some examples ?
> Thanks for your help, Luca.

MS had an article on their sites describing the behavor of different Clients
based on the OS version and which of the two methods that they worked best
with and why. I have no link to that article anymore and have no idea what
it was called.

In the end,..to me,...it just makes no sense at all to not do both at the
same time. Doing WPAD with both DNS and DHCP should just be a "given".
There shouldn't even be any question about it


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------