Bjørn Mork <[email protected]> writes: > Please don't. WPAD via DNS is a security nightmare. Have your friendly > DNS resolver operator send over some query logs for wpad host names, and > you'll quickly realize that there is no end to the attack vectors. The > basic problem is that there is no way to establish a "safe" base > domain. And if there were, there would be no way to know how far up the > tree is safe. Or if dynamic registration of "wpad" is allowed within > that domain, ref > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093 > Might be "fixed" in Windows, but how about other dynamic zones?
If anyone is still interested, I just happended to read RFC5507 for other reasons and stumbled across the section "4. Zone Boundaries are Invisible to Applications": https://tools.ietf.org/html/rfc5507#section-4 Which is a pretty extensive explanation of why the WPAD DNS design is wrong, without even mentioning WPAD :) WPAD in DNS is best forgotten. Bjørn _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
