Bohack

Check In and Tune Out!
  
 
« Windows Server 2008 R2 DC DNS Client Settings
Windows 2008 Firewall and Remote Administration »

Windows Server 2008 R2 Breaks WPAD



I had just completed a successful upgrade of my domain controllers at work to Windows Server 2008 R2. After the upgrade we found that anyone that used the proxy and relied in automatic settings could no longer receive the proxy address. This is in “Automatically detect settings” in the “LAN settings” of Internet Explorer options.

After some research I found a TechNet Article http://technet.microsoft.com/en-us/library/cc794902%28WS.10%29.aspx that explained the motivation behind this. Basically when Internet Explorer starts up, it starts with the default of “Automatically detect settings” checked in the “Local Area Network (LAN) Settings” dialog box in Internet Explorer Options. So every time it starts it queries for wpad.FQDN and if it resolves it then grabs the wpad.dat. When your client boots up and the DHCP will configure option 15 for the domain name it appends this to the wpad. An example: if you machine boots up and retrieves option 15 as contoso.com. Then IE will try to retrieve http://wpad.contoso.com/wpad.dat.

Now let me explain why: Microsoft uses dynamic updates in DNS. Since most people do not use wpad entries; it introduces an attack vector. A malicious user would name their client “wpad” and serve a wpad.dat file from the host of their web server. When their client boots up it will try to register itself as “wpad.contoso.com” and now potentially all of your clients are proxy-ed thru a malicious host.

Microsoft closed the hole by automatically denying resolution of wpad.FQDN entries in the “Global Query Block List”. Which regardless of which zones you host on Microsoft DNS servers it will deny resolution of the wpad.

To fix this you will need to run the commands below against each of your DNS servers:

To see the “Global Query Block List”

dnscmd [<ServerName>] /info /globalqueryblocklist

example:
dnscmd 192.168.1.1 /info /globalqueryblocklist

To fix the problem in the “Global Query Block List”

dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]

example:
dnscmd 192.168.1.1 /config /globalqueryblocklist isatap

Tags: Server 2008, Windows

This entry was posted on Saturday, February 12th, 2011 at 9:35 pm and is filed under Windows 2008.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Comments are closed.

  • Channels

    • Beer (2)
    • Blog (1)
    • Exchange (2)
    • Ham Radio (1)
    • Homebrew (3)
    • Linux / Unix (4)
    • Misc (1)
    • Mods (4)
    • Networking (1)
    • Programming (4)
    • Recipes (2)
    • Scripts (7)
    • Security (1)
    • Software (2)
    • Spam (1)
    • Telco (7)
    • Virtual PC (1)
    • VMware (3)
    • VOIP (3)
    • Windows (16)
    • Windows 2008 (4)
    • Windows 7 (5)

  • Archives

    • September 2012
    • April 2012
    • March 2012
    • February 2012
    • January 2012
    • November 2011
    • September 2011
    • July 2011
    • April 2011
    • February 2011
    • January 2011
    • October 2010
    • August 2010
    • February 2010
    • January 2010
    • December 2009
    • November 2009
    • June 2009
    • May 2009
    • February 2009
    • January 2009
    • December 2008
    • November 2008
    • October 2008

  • Links

    • Blogarama Blogarama – The Blog Directory
    • BlogHub Blog Directory
    • Blogrankings Technology Blogs – Blog Rankings
    • Blogville.us blogville.us
    • Buzzerhut free directory | buzzerhut.com
    • Ontoplist Online Marketing
    • Primechoiceautoparts Discount Auto Parts
    • PTC My Employer
  
  Copyright - Bohack 2025 ©