Automatic proxy configuration?

A small talk about a feature that is generally little known among “common folk,” yet it can be either very helpful for network administrators, or very upsetting for network users, too.

A little background

In some networks, using a web proxy is the only supported way to connect to the Internet. At the same time, it is common that you need a direct access to company intranet, without using a proxy. Browsers, however, usually offer limited options to differentiate proxy settings for various sites; they are often missing the required flexibility. So, how can you force your browser to proxy google.com, but not internal.paulos.cz?

For that purpose, Proxy Auto-Configuration (PAC) file was invented. Quoting from https://findproxyforurl.com:

[PAC file] contains a set of rules coded in JavaScript which allows a web browser to determine whether to send web traffic direct to the Internet or be sent via a proxy server.

It is mostly standardized, supported by all major browsers, supports automatic failover, and has only a subset of JavaScript functions + running in a sandbox. Not much to worry about.

Configuring a thousand different browsers to use a proxy can be a challenge, though. That is a reason there’s a complementing discovery protocol: Web Proxy Auto-Discovery Protocol (WPAD).

[WPAD] is a technology which aids a web browser in automatically detecting the location of a PAC file using DNS or DHCP.

What that means? Your network administrator can insert special entries into DNS and DHCP servers. They instruct the OS and browser where to get the file with proxying rules.

Why can that be dangerous?

Windows searches for proxy autoconfig host in this order:

1. DHCP option 22
2. DNS host wpad in the search domain
3. Using NetBIOS or WINS server (often it is forgotten that Windows has this fallback - at times, you can see broadcast queries for google.com etc.)

If the DHCP option does not exist, it tries to find DNS entry. If that does not exist, NetBIOS/WINS query is attempted.

If the WPAD host is found, the browser then tries to download the proxy file (wpad.dat) from that host using HTTP.

So, you can just name your computer wpad. Suddenly, you’ve got the easiest MitM method around, without any need to do ARP poisoning or impersonate another computer. In our network, I was stunned how many computers do WPAD on a regular basis.

I’m a basic user. What can I do about it?

• Unless it is absolutely required by your IT to have automatic proxy discovery enabled, turn it off in system proxy settings and also in all your browsers. If using proxy is required, ask for an autoconfiguration URL and set that. (Option Use system proxy settings is fine, as long as your system is properly configured.)
• Beware of any requests to install CA certificate into your system. If your IT has a HTTPS decrypting box installed, consult with them. It can save you many headaches.

At home, do not connect devices to your network that you don’t trust. Or, create a separate guest Wi-Fi network for them, with client isolation. Ideally they should be on a different virtual network (VLAN).

What can network admins do?

It depends on whom you let into your network.

Basic access security matters. That is, on your switch:

• 802.1x and MAC address restrictions
• IPv4 first hop security: DHCP snooping and IP source guard
• IPv6 first hop security: SLAAC / DHCPv6 snooping, IPv6 RA guard, IPv6 source guard
• Blocking broadcast and multicast

Choose the options that you can implement and support and are applicable to your network.

Also: You can benefit from deploying WPAD on your network, even though you may have no intention of proxying the web traffic. If you set up the discovery on DHCP and DNS levels, an ordinary Windows computer might just use that. It should then not attempt any local network discovery; this helps to narrow the scope of possible attack. Also, then it shouldn’t happen that someone would just name their computer “wpad” and your DHCP server would just automatically set the DNS A/AAAA record to point to them.

Deploying WPAD

I’ll just direct you here for the guide: https://findproxyforurl.com/deploying-wpad/

Generally: To deploy WPAD, you will need to host a PAC file on an HTTP server, and then point your DHCP and DNS appropriately.

The PAC file can be really simple:

function FindProxyForURL(url, host) {
    return "DIRECT";
}

which just does no proxying at all.

Possible caveats

Was there ever something such as a free lunch in networking? The answer should be obvious, as this solution has its drawbacks:

• It is another part of your network that can break.
  • If you set up a DHCP entry and point clients towards a nonexistent path, also:
  • If the server hosting the PAC file fails and/or does not answer, some of your network clients will have longer waiting times, because they will be trying to download the file before communicating using HTTP(S). It can break the client’s web access.
• Generally, it adds to the knowledge your admins need to have about your network. Meaning, deployment of WPAD should be documented and known, to avoid surprises.

Well. This probably wasn’t too comprehensive, but I hope you got the basic idea from the article. I might do more of these, because there’s always a couple of obscure things…