Any collision is a bad thing, especially when it happens in a computer system. The U.S. Computer Emergency Readiness Team (CERT) this week warned infosec teams of a vulnerability Web Proxy Auto-Discovery (WPAD) protocol, which could involve a collision between requests for internal and external top level domains.
The problem involves WPAD domain name system queries that are intended for resolution on private or enterprise DNS servers. These queries might reach public DNS servers, which could result in domain name collisions with internal network naming schemes. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, warns US-CERT, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.
As the alert explains, WPAD ensures all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.
The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.
The problem has expanded with ICANN’s new system of approved generic top level domains such as .office and .group which may have been used behind corporate firewalls. However, these undelegated gTLD strings are now being publicly registered. In certain circumstances, says US-CERT, like a work computer connected from a home or external network, a WPAD DNS queries may be made in error to public DNS servers. Attackers can exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.
A longer explanation of this can be found in this report from Verisign.
Among its recommendations US-CERT says users and network administrators should consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks, consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace and configure internal DNS servers to respond authoritatively to internal TLD queries.
It also suggests firewalls and proxies be configured to log and block outbound requests for wpad.dat files, and for systems to identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.