Automatic proxy configuration?

A small talk about a feature that is generally little known among “common folk,” yet it can be either very helpful for network administrators, or very upsetting for network users, too.

A little background

In some networks, using a web proxy is the only supported way to connect to the Internet. At the same time, it is common that you need a direct access to company intranet, without using a proxy. Browsers, however, usually offer limited options to differentiate proxy settings for various sites; they are often missing the required flexibility. So, how can you force your browser to proxy, but not

For that purpose, Proxy Auto-Configuration (PAC) file was invented. Quoting from

[PAC file] contains a set of rules coded in JavaScript which allows a web browser to determine whether to send web traffic direct to the Internet or be sent via a proxy server.

It is mostly standardized, supported by all major browsers, supports automatic failover, and has only a subset of JavaScript functions + running in a sandbox. Not much to worry about.

Configuring a thousand different browsers to use a proxy can be a challenge, though. That is a reason there’s a complementing discovery protocol: Web Proxy Auto-Discovery Protocol (WPAD).

[WPAD] is a technology which aids a web browser in automatically detecting the location of a PAC file using DNS or DHCP.

What that means? Your network administrator can insert special entries into DNS and DHCP servers. They instruct the OS and browser where to get the file with proxying rules.

Why can that be dangerous?

Windows searches for proxy autoconfig host in this order:

  1. DHCP option 22
  2. DNS host wpad in the search domain
  3. Using NetBIOS or WINS server (often it is forgotten that Windows has this fallback - at times, you can see broadcast queries for etc.)

If the DHCP option does not exist, it tries to find DNS entry. If that does not exist, NetBIOS/WINS query is attempted.

If the WPAD host is found, the browser then tries to download the proxy file (wpad.dat) from that host using HTTP.

So, you can just name your computer wpad. Suddenly, you’ve got the easiest MitM method around, without any need to do ARP poisoning or impersonate another computer. In our network, I was stunned how many computers do WPAD on a regular basis.

I’m a basic user. What can I do about it?

At home, do not connect devices to your network that you don’t trust. Or, create a separate guest Wi-Fi network for them, with client isolation. Ideally they should be on a different virtual network (VLAN).

What can network admins do?

It depends on whom you let into your network.

Basic access security matters. That is, on your switch:

Choose the options that you can implement and support and are applicable to your network.

Also: You can benefit from deploying WPAD on your network, even though you may have no intention of proxying the web traffic. If you set up the discovery on DHCP and DNS levels, an ordinary Windows computer might just use that. It should then not attempt any local network discovery; this helps to narrow the scope of possible attack. Also, then it shouldn’t happen that someone would just name their computer “wpad” and your DHCP server would just automatically set the DNS A/AAAA record to point to them.

Deploying WPAD

I’ll just direct you here for the guide:

Generally: To deploy WPAD, you will need to host a PAC file on an HTTP server, and then point your DHCP and DNS appropriately.

The PAC file can be really simple:

function FindProxyForURL(url, host) {
    return "DIRECT";

which just does no proxying at all.

Possible caveats

Was there ever something such as a free lunch in networking? The answer should be obvious, as this solution has its drawbacks:

Well. This probably wasn’t too comprehensive, but I hope you got the basic idea from the article. I might do more of these, because there’s always a couple of obscure things…