US-CERT warns of domain name collision

Any collision is a bad thing, especially when it happens in a computer system.  The U.S. Computer Emergency Readiness Team (CERT) this week warned infosec teams of a vulnerability Web Proxy Auto-Discovery (WPAD) protocol, which could involve a collision between requests for internal and external top level domains.

The problem involves WPAD domain name system queries that are intended for resolution on private or enterprise DNS servers. These queries might reach public DNS servers, which could result in domain name collisions with internal network naming schemes. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, warns US-CERT, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.

As the alert explains, WPAD ensures all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.

The problem has expanded with ICANN’s new system of approved generic top level domains such as .office and .group which may have been used behind corporate firewalls. However, these undelegated gTLD strings are now being publicly registered.  In certain circumstances, says US-CERT, like a work computer  connected from a home or external network, a WPAD DNS queries may be made in error to public DNS servers. Attackers can exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.

A longer explanation of this can be found in this report from Verisign.

Among its recommendations US-CERT says users and network administrators should consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks, consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace and configure internal DNS servers to respond authoritatively to internal TLD queries.

It also suggests firewalls and proxies be configured to log and block outbound requests for wpad.dat files, and for systems to identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now