[dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure

[Sidney Faber]

You hit the nail on the head--DNS tree climbing, or in the MS world,
"DNS Devolution", is bad.

There's a good description of DNS Devolution, including when and how and
why it occurs, in the Win2k documentation at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/prcc_tcp_dacz.mspx?mfr=true,
"TCP/IP in Windows 2000 Professional".  The root cause is the "Append
parent suffixes of the primary DNS suffix" (ie, DNS Devolution) option
shown in figure 22.7.

Following the flow charts, devolution is figure 22.6, which only occurs
for unqualified single-label queries when no DNS suffix search list is
configured.  The client first tries the fully qualified name
(wpad.aaa.bbb.contoso.com.) for _all_ connection-specific names on _all_
adapters before "devolving" up the DNS tree. (Keep in mind that most
windows VPN clients create a virtual connection, so all private DNS
requests on a VPN that are unanswered within 1 sec get leaked out the
public interface...and probably often end up as garbage
"wpad.contoso.local" type queries at the roots.)

WPAD is one specific example of a more general case, I wonder if Win2k
service discovery or .inaddr.arpa lookups are similarly affected.

Peter Koch wrote:
>> http://www.microsoft.com/technet/security/advisory/945713.mspx
> 
>> try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not 
>> found, it will try to resolve wpad.co.us, which is outside of the 
>> contoso.co.us domain.
> 
> congratulations for only 14 years after publication of RFC 1535 finding out
> that DNS tree climbing is a bad idea.
> 
> -Peter
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

-- 
Sid Faber, Member of the Technical Staff
CERT
Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org