Maintained by: NLnet Labs

[Unbound-users] preventing host lookup/reply

Alexander Clouter
Sat Feb 19 11:54:11 CET 2011


Chris Smith <fixie at chrissmith.org> wrote:
>
> Specifically in this case I want to prevent wpad.<whatever> lookups.
> 
> Seems I can refuse to answer the query with:
> 
> local-zone: "wpad.<whatever>." refuse
> 
> or send effectively invalid information:
> 
> local-data: "wpad.<whatever>. A 127.0.0.1" - or via a stub-zone auth
> server (nsd) method
>
If 'wpad.example.com' does not actually have an A/AAAA/CNAME record, 
then what are you trying to do?  I do not think unbound supports 
wildcard blocking (ie. 'wpad.*') either; I think to do this you would 
have to look to the python hooks to help you out.
 
> Is one more effective than the other? Does a refusal effectively stop
> further inquiries from the client? Or would it free up the client
> sooner, longer or more effectively to send it the localhost address?
>
The client should make a WPAD lookup once per HTTP session, if it is 
configured to 'automatically detect proxy settings'.

Returning REFUSED/NXDOMAIN will have no effect on the rate of queries.

> Is one possibly more effective against a rogue DNS server on the
> network? Or against a rogue system with a hostname of wpad (maybe
> advertising itself via NetBIOS - hopefully static wins entries prevent
> this - or some other method)?
>
You can configure, via DHCP, for clients to disable NetBIOS over TCP/IP.  
As for rogue DHCP/DNS servers, check to see if your network hardware 
supports "dhcp snooping"/"arp inspection"/"switchport protection" or 
whatever the non-Cisco equivalent might be.

What is it you are trying to achieve?  I'm curious about how you think 
blocking WPAD lookups will help you get closer to your goal?  Maybe it 
is just the wording, but it seems you are attempting to obliterate every 
byte of supposedly unwanted traffic on the local network?

WPAD (if you do not know) is how many systems automatically hunt for 
proxy servers...which is a *good* thing.  It is always handy to have a 
proxy server, especially as you can use it to help your userbase get to 
braindead websites that put HTTP services on ports other than 80/tcp 
(means your firewalling is easier).

Cheers

-- 
Alexander Clouter
.sigmonster says: Campbell's Law:
                  	Nature abhors a vacuous experimenter.