Where to set WPAD DNS A record



  • It looks like Windows XP needs the A record.

    wpad            IN      A        192.168.1.1  (your wpad address here… if CNAME is not used)
                      IN      TXT    "service: wpad:http://wpad.yourdomain/proxy.pac"
    _wpad._tcp    IN      SRV    0 0 80 wpad.yourdomain.

    But where do i configure it?
    Do i need to install the dns-server package?



  • You do this on pfsense DNS forwarder, or DNS resolver.  You can also add DHCP options..google DHCP pfsense WPAD
    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • @dwood:

    You can also add DHCP options..google DHCP pfsense WPAD
    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

    Sure although I don't think this is an "alternative".
    The point is that mechanism used to find proxy.pac server is defined client side.
    Some will rely on DHCP option 252 while some others will rely on "well known alias" (DNS)
    Some others may also implement only "service locator"  :-\

    Because of this, I'm pretty convinced that if you want to implement WPAD, you should configure all these parameters to ensure it will cover as much clients as possible.

    Something to be noticed (related to the example used in first post) : I wrote in 2011 that "well known alias" requires A record because this is what RFC states. However, the more I think about this, the more I'm convinced that this is an mistake at RFC level. It should work with CNAME too and from client side, I can't really see the difference.



  • DHCP is already working.

    But for example:
    XP Pro SP3:
    IE6 = NOT working

    For XP see also: http://forums.isaserver.org/XP_SP3_DHCP_WPAD/m_2002067097/tm.htm

    No Browser on LMDE (Linux Mint Debian Edition) works.

    Firefox works on no OS.

    MIME-Typ's are set
    DNS resolver is done (Host: wpad, Domain: example.com, IP Address: 192.168.0.1) - also tested in forwarder.

    FindProxyForURL is telling me:

    #-----------------------------------------------------
    # Internet Explorer Configuration
    #-----------------------------------------------------
    #
    # Automatically Detect Settings configured
    #
    # Explicit PAC file not configured
    #
    #-----------------------------------------------------
    # WPAD DHCP Configuration
    #-----------------------------------------------------
    #
    # DHCP 252 entry configured
    #	- http://wpad.skulltronics.net/proxy.pac
    #		- PAC file downloaded successfully
    #		- Content Type: application/x-ns-proxy-autoconfig
    #		- Code Syntax: PAC file is valid
    #
    #-----------------------------------------------------
    # WPAD DNS Configuration
    #-----------------------------------------------------
    #
    # No DNS suffices found for WPAD DNS search
    

  • Banned

    As already noted above: these are NOT alternatives. You need to do them all. Regarding:

    @MrGlasspoole:

    XP Pro SP3:
    IE6 = NOT working

    who the heck cares?  ::)



  • @doktornotor:

    who the heck cares?  ::)

    I appreciated all your work - but in the time you wrote this you could wrote where/how to put the A record :P
    No my XP machines normally don't have web access - in this case it's just drunk science ;D

    But now i'm not sure anymore if that Auto-Discovery thing is any good.
    I was reading https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol#Security
    and http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle

    Modern OS have it on by default? But if i'm at a hotspot or foreign WLAN…..



  • Your link (wikipedia) describes something quite obvious, although it doesn't hurt to state it twice and make it crystal clear: be sure that resolving wpad.yourdomain.com is done by DNS you do control and points, at the end, to YOUR proxy.pac.

    This being said, risk highlighted here is different whether you are connected to trusted or untrusted network and true debate is rather to understand if browser should be configured or not with auto-discovery when device is not connected to trusted network.

    When connected to trusted network, network admin has most likely configured firewall to only accept connection to HTTP proxy port and denied direct access to internet in order to ensure everything goes through proxy. Risk to connect to external (I mean behind firewall) proxy is supposed to be minimum. Still there is a risk for internal attack with rogue web server, either using another DHCP server or another DNS server.

    When connected outside, debate is somewhat different. You can't trust anything and may not want to rely on explicit proxy. But how would you then prevent use of transparent proxy and SSL bump ?

    BTW, if you search for literature explain risk with explicit proxy, I suggest you also search for equivalent publication about risks with transparent proxy. You will find much more publication and significantly higher risks  ;)



  • @doktornotor:

    As already noted above: these are NOT alternatives. You need to do them all. Regarding:

    @MrGlasspoole:

    XP Pro SP3:
    IE6 = NOT working

    who the heck cares?  ::)

    If you're using XP still, then at least try to ditch IE for Chrome or Firefox…. Highest version of IE for XPSP3 is IE8 :-\

    IMO, XP machines should no longer have internet access. Whitelist specific applications only and block everything else. Definitely don't use IE6!



  • Also still Android and Ios mobile platform cannot detect Wpad.



  • @TechnicaL:

    Also still Android and Ios mobile platform cannot detect Wpad.

    It evolves… slowly  :-[

    I really don't understand why such feature is not supported by these operating systems.
    One would argue about [url=https://code.google.com/p/android/issues/detail?id=54218]security issues or weakness when using WPAD, which is totally misleading, especially when stating that solution is to use transparent proxy instead  ;D ;D ;D ;D

    WPAD is for sure not the ultimate answer nevertheless, so far, I don't know anything better when it comes to provide filtering and profiling for HTTP(S) flow.



  • @Netizen1:

    If you're using XP still, then at least try to ditch IE for Chrome or Firefox…. Highest version of IE for XPSP3 is IE8 :-\

    IMO, XP machines should no longer have internet access. Whitelist specific applications only and block everything else. Definitely don't use IE6!

    Did you read my answer?
    My XP machines normally don't have web access - in this case it's just drunk science.

    In VMware i have XP Pro SP3 IE6, XP Pro SP3 IE7, XP Pro SP3 IE8, Vista IE9, Win 7 IE10, OS X El Capitan < all for playing around.

    And yes I also use XP on dedicated PCs. One example is MAME connected to a RGB CRT TV.
    I also have 2 DOS PCs, 1 Win95 and 1 Win98 running because 3dfx Voodoo and ols Games needs the right OS ;D


Log in to reply