US-CERT warns of domain name collision

Any collision is a bad thing, especially when it happens in a computer system.  The U.S. Computer Emergency Readiness Team (CERT) this week warned infosec teams of a vulnerability Web Proxy Auto-Discovery (WPAD) protocol, which could involve a collision between requests for internal and external top level domains.

The problem involves WPAD domain name system queries that are intended for resolution on private or enterprise DNS servers. These queries might reach public DNS servers, which could result in domain name collisions with internal network naming schemes. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, warns US-CERT, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.

As the alert explains, WPAD ensures all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.

The problem has expanded with ICANN’s new system of approved generic top level domains such as .office and .group which may have been used behind corporate firewalls. However, these undelegated gTLD strings are now being publicly registered.  In certain circumstances, says US-CERT, like a work computer  connected from a home or external network, a WPAD DNS queries may be made in error to public DNS servers. Attackers can exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.

A longer explanation of this can be found in this report from Verisign.

Among its recommendations US-CERT says users and network administrators should consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks, consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace and configure internal DNS servers to respond authoritatively to internal TLD queries.

It also suggests firewalls and proxies be configured to log and block outbound requests for wpad.dat files, and for systems to identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now