Question

WPAD host record and cname records not answering

Asked by: HUSATech

Hi Experts.

Trying to implement the Proxy Auto Configuration on a W2003 AD environment.
I think I have all the steps pretty clear, but I am stuck on some annoying situation that probably is something that I am missing.
I created a GPO that enables the "Auto Configuration" on my computer.
I created a proxy.pac file that configures my Proxy settings depending on the IP of my laptop (office range or VPN range > Proxy / others > No Proxy).
I pasted this file (renamed as "wpad.dat") to the root of my internal IIS web server.
I created an alias (cname) record on my DNS server named "wpad" pointing to the IIS server FQDN.
Problem: after 30 minutes, the PING WPAD still times out, EVEN from the DNS server itself.
I should have been missing really basic here....
After many tries (flush dns, etc...) I deleted the CNAME record, and created a HOST record, pointing to the IP of the IIS internal server.
Same issue: after many tries, the PING WPAD is still timing out.
Everything else seem to be working fine, but I just can not ping the wpad record (the ping to the IIS server itself, or even to a DIFFERENT CNAME record that was pointing to the same server are working just fine.

Any clue??

One last question regarding the PAC file itself:

My idea is to deploy a PAC file like this:
#################################################
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "172.16.2.0", "255.255.255.0"))
if (isInNet(myIpAddress(), "172.16.20.0", "255.255.255.0"))
if (isInNet(myIpAddress(), "10.251.0.0", "255.255.248.0"))
return "PROXY 145.47.86.151:8080";
else
return "DIRECT";
}
##################################################
Where ("172.16.2.0", "255.255.255.0") and ("172.16.20.0", "255.255.255.0") are my two sites IP ranges and ("10.251.0.0", "255.255.248.0") is my VPN IP range.

Should I expect any problem with the VPN IP range? I mean, how the "FindProxyForURL(url, host)" function handles the fact that you have an IP (home Internet connection, hotel Internet connection, AirCard, etc...) and then you build a VPN tunnel that has a NEW IP address on top of that first one? Would this script work to enable the Proxy to those VPN users?

Thanks in advance guys.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-05-19 at 18:17:10ID24423074
Tags

WPAD

,

proxy

,

DNS

Topics

Domain Name Service (DNS)

,

Proxy/Firewall Anti-Virus

Participating Experts
2
Points
125
Comments
28

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. CNAME to CNAME?
    Is it possible to point a CNAME to a CNAME? Here's the requirement . . . I have hundreds of customers who I frequently move between different servers so I want to set up www.<theirdomain>.com to CNAME to a single A record on my domain which I can then change to move th...
  2. A and CNAME records
    Does this look right for a DNS wildcard redirecting to www A Records (2) Name IP FO / SM mail 100.111.68.4 Off / Off N/A Remove www 100.111.70.196 Off / Off N/A Remove CNAME Records (5) Name Value (alias to) * www Remove ftp fredwarehouse....
  3. CNAME issues
    I've hidden the domain name for security purposes. I'm getting an error upon trying to start BIND on my FC3 boxes....as soon as I comment out the following CNAME records, named starts with no problems. Can anyone tell me what's wrong with these records? We're in the proces...
  4. cname settings
    in my cpanel I set www.reservations.vegasvip.com. 14400 In CNAME www.res99.com. from time to time, the name doesn't resolve and host cannot be found. as I am writing this message the server was down, however it works most of the time. when I check dnsstuff.com it finds ever...
  5. CNAME question
    I am hosting the DNS for my domain name, foobar.com. I have seen many examples to make a CNAME such as this: sub.foobar.com IN CNAME anothersite.com But how can I use a CNAME for the whole domain and not just a subdomain? I am using Bind 9.3.0.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Chris-DentPosted on 2009-05-20 at 02:10:27ID: 24429751


You should be able to lookup wpad, provided your client is querying the DNS server holding the record. Can you direct a query at the DNS server itself with "nslookup wpad somednsserver"?

The isInNet bases its response on the connecting IP Address. So if you have a VPN tunnel it should base it on the IP of the VPN interface as that would be forming the connection to the Proxy. Using it wpad / proxy.pac here over several VPN connections without having to consider anything about the client's local network.

Chris

 

by: HUSATechPosted on 2009-05-20 at 08:02:59ID: 24432673

Thanks for the advise, Chris. But this is getting more interesting:

As explained, I created an alias, CNAME record on my DNS, named "wpad" and pointing to the FQDN of my internal IIS server. In the exact same way as another alias I already have named "windowsupdate" pointing to the same server.

#############################################################
C:\>ping wpad
Ping request could not find host wpad. Please check the name and try again.

C:\>nslookup wpad <DNSServer1>
Server:  <DNSServer1>.domain.net
Address:  <IPofDNSServer1>

*** <DNSServer1>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer2>
Server:  <DNSServer2>.domain.net
Address:  <IPofDNSServer2>

*** <DNSServer2>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer3>
Server:  <DNSServer3>.domain.net
Address:  <IPofDNSServer3>

*** <DNSServer3>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer4>
Server:  <DNSServer4>.domain.net
Address:  <IPofDNSServer4>

*** <DNSServer4>.domain.net can't find wpad: Non-existent domain

################################################


BUT if I do the same using another alias already existing that points to the SAME server, I get this:


###############################################

C:\>nslookup windowsupdate <DNSServer4>
Server:  <DNSServer4>.domain.net
Address:  <IPofDNSServer4>

Name:    <TargerServerName>.domain.net
Address:  <IPofTargetServer>
Aliases:  windowsupdate.domain.net

########################################################

At this point I am not sure if I am missing something really basic or if I should be worried about some wrong DNS behavior...

Any clue?? Thanks in advance.

 

by: HUSATechPosted on 2009-05-20 at 08:07:07ID: 24432725

I just got this from MS:

"This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct make sure that a reverse lookup zone exists and contains PTR records for the name servers."

Checked the PTR records, and there IS a PTR record for the target server which the CNAME record is pointing to.....

Any help is appreciated. Thanks again.

 

by: HUSATechPosted on 2009-05-20 at 08:08:52ID: 24432746

BTW, there obviously are PTR records also for all the DNS servers in the Reverse Zone ....

 

by: Chris-DentPosted on 2009-05-20 at 08:12:57ID: 24432802


> nslookup wpad <DNSServer1>

Odd, can you try by FQDN? e.g.

nslookup wpad.domain.net <DNSServer1>

I assume the WPAD entry is in the same zone? And that the client has a DNS Suffix for the domain it's expected to search?

> I just got this from MS:

Out of context, that refers to instances where you get this:

C:\>nslookup windowsupdate <DNSServer4>
Server:  UnKnown
Address:  <IPofDNSServer4>

And an error message. It's trying to populate the Server label and failing. That isn't a problem here, it's past that bit.

Chris

 

by: HUSATechPosted on 2009-05-20 at 08:22:27ID: 24432915

Thanks again, Chris.

C:\>nslookup wpad.domain.net <DNSServer1>
Server:  <DNSServer1>.domain.net
Address:  <IPOfDNSServer1>

*** <DNSServer1>.domain.net can't find wpad.domain.net: Non-existent domain

????

 

by: Chris-DentPosted on 2009-05-20 at 08:32:13ID: 24433038


There has to be something wrong with the record.

Any change you can post a screen shot of it?

There aren't any other CNAME records for wpad are there? Unlikely but...

Chris

 

by: HUSATechPosted on 2009-05-20 at 10:12:03ID: 24434070

Hi Chris, the screen shot of the CNAME record is an option, but after hiding all the sensitive info, there is nothing really to check... I can tell you it has the same settings that the other CNAME pointing to the same server, and I actually selected the target server using the Browse option during the CNAME record creation....
There is no other wpad registry in the DNS server at all.
I am running out of ideas....
What would you like to check on the record itself?

 

by: HUSATechPosted on 2009-05-20 at 10:36:13ID: 24434284

I think I have found something here, from the DNS event viewer:

####################################

The global query block list is a feature that prevents attacks on your network by  blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.noam.heiway.net. even though data for  this DNS name exists in the DNS database. Other queries in all locally  authoritative zones for other names that begin with labels in the block list  will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
 
Below is the current global query block list  (this list may be truncated in this event if it is too long):
wpad
isatap.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

########################################################

So at least I know the reason behind this weird issue, but the questions now are:

- I think what I am trying to do is something pretty usual, and actually it is well-known way to get the Proxy settings deployed to my clients.... Am I the only one experiencing this issue? or did I miss some extra step to solve this "by default" setting?
- Is there any known workaround for this?

Thanks again in advance.

 

by: Chris-DentPosted on 2009-05-20 at 11:22:24ID: 24434714


> Am I the only one experiencing this issue?

No, I don't think you will be.

I used WPAD in my last company and use it in my current without any configuration beyond adding the record and ticking the "automatic configuration" box in IE / Firefox.

But there's this, which is clearly responsible for the failure...

> The global query block list

I've not heard of this before, but my DNS servers are 2003 rather than 2008. This one is quoted as being a feature of 2008. Is that the case here?

Documentation for it is here:

http://technet.microsoft.com/en-us/library/cc794902.aspx

It looks like you can enable it, disable it, view the list and add. To remove items from the list it appears you would have to flush it entirely then re-add any entries you wanted to preserve (just isatap. perhaps).

It's all configurable with DNSCMD at least so should be up easy enough to modify :) Want the commands?

Chris

 

by: HUSATechPosted on 2009-05-20 at 11:24:36ID: 24434740

My DNS servers are for sure Windows 2003.
BUT what I am not that sure, is if the parent domain (this company domain is a child domain from a parent international bigger one) has deployed some Windows 2008 DNS servers out there that are creating these issues.
I will check this out and will definitely update here.
Thanks for the info, Chris.

 

by: Chris-DentPosted on 2009-05-20 at 11:27:16ID: 24434773


Do your network clients use only your own DNS servers? It's odd that it's logging that event in the logs on the 2003 servers if the feature isn't available.

Chris

 

by: HUSATechPosted on 2009-05-20 at 11:36:54ID: 24434889

Well, our domain DNS servers have configured some DNS forwarders: two internal DNS servers from the parent domain that are used when trying to solve any IP internal to the enterprise network IP ranges, and also two external DNS servers from the ISP provider that are used when trying to solve any Internet name, (since there was no Proxy in place).

After the deployment of the Proxy settings to everyone (what I am actually trying to do), these external DNS forwarders servers could be removed.

Any idea about where this could come from??

 

by: Chris-DentPosted on 2009-05-20 at 11:53:20ID: 24435095


Well it can't hurt to have a look and see what the DNS server thinks about the block list.

Perhaps run:

dnscmd <ServerName> /info /globalqueryblocklist

At worst it'll say "eh?".

Chris

 

by: HUSATechPosted on 2009-05-20 at 12:11:17ID: 24435272

Different way of saying "eh?":

C:\>dnscmd <DNSServer1> /info /globalqueryblocklist
Info query failed
    status = 9553 (0x00002551)

Command failed:  DNS_ERROR_INVALID_PROPERTY     9553  (00002551)

 

by: Chris-DentPosted on 2009-05-20 at 12:32:34ID: 24435463


Figures ;)

It's odd that it managed to log the error into the event log on that server if it can't control the feature.

It's definitely not 2008? :)

It has registry entries associated with it, they're here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Would be worth having a quick look for those.

Chris

 

by: HUSATechPosted on 2009-05-20 at 12:42:49ID: 24435549

It is definitely not a Windows 8 server ;-) it is a Windows 2003 server.

BUT it DOES have that registry key, REG_MULTI_SZ, with the two strings in there: wpad isatap

At this point, it looks like these values were always there, and this has nothing to do with Windows 8...

May this be a Global Policy being pushed from the parent domain to our DNS servers?? I will check that.

The remaining questions I guess are:

a) If I remove the wpad string, would then work? (easy to check)
b) If I remove the wpad string, would the GPOs put it back during the next GPO update? (also easy to check)

Actually I am going to check it right now.... will update soon.

Thanks again, Chris.

 

by: Chris-DentPosted on 2009-05-20 at 12:45:17ID: 24435574


a) Yes, you're likely to need to restart the DNS Service.
b) I wouldn't be surprised.

Perhaps run "rsop.msc" and see if a policy is pushing that onto your machine?

Chris

 

by: HUSATechPosted on 2009-05-20 at 13:09:49ID: 24435785

I can not see any policy being pushed, but not completely sure though.
Have you ever heard of this feature and the corresponding registry key being configured on Windows 2003 DNS servers?

I just removed the wpad from all my DNS servers registry entries and restarted the DNS Server services on those servers. The ping is working perfectly from all the DNS servers and from my own client.

I am going to wait to see if the changes are pushed back by any GPO, but for now, I will move forward with my tests about the Proxy Auto Configuration settings.

 

by: Chris-DentPosted on 2009-05-20 at 13:18:49ID: 24435884


> Have you ever heard of this feature and the corresponding registry key
> being configured on Windows 2003 DNS servers?

No, but I'm going to try it tomorrow and see if it can be enabled this way. I only have 2008 on my server here (at home).

Chris

 

by: Chris-DentPosted on 2009-05-21 at 03:32:10ID: 24439757


If you get a moment, could you grab the version number from %SystemRoot%\System32\DNS.exe?

Haven't been able to reproduce this on 2003 so far, seeing if I can find a newer version of DNS.exe.

Chris

 

by: Chris-DentPosted on 2009-05-21 at 05:33:57ID: 24440593


Well there we go.

It looks like Windows 2003 has that feature (although not documented) if you happen to be running version "5.2.3790.4460" of dns.exe. The previous version, released last year doesn't have it.

Chris

 

by: HUSATechPosted on 2009-05-21 at 06:39:48ID: 24441236

Bingo.

I just checked. It is exactly that one: 5.2.3790.4460

How is it possible this features are not documented? I guess this has some significant impact, since what I am trying to do it is not that exceptional, right?

 

by: Chris-DentPosted on 2009-05-21 at 06:49:40ID: 24441351


I couldn't say why it's not documented, I keep looking around to see if I can find any. It's not in the KB associated with the release of that version.

http://support.microsoft.com/kb/961063

By default it is disabled, or I would have noticed it on my production servers as well. I think you only suffer because of the apparently undocumented feature and the registry entries for it being pushed out. An unlucky combination more than anything else.

Chris

 

by: HUSATechPosted on 2009-05-22 at 07:23:31ID: 24451285

Hey Chris, I will move on to the next step (basically make my proxy script work...), but I would say this question has been fully solved. Thanks for your help!

 

by: Chris-DentPosted on 2009-05-22 at 07:23:55ID: 24451291


No worries, good luck with the script :)

Chris

 

by: HUSATechPosted on 2009-05-22 at 07:24:00ID: 31583319

Thanks Chris.

 

by: cjrmail2kPosted on 2010-06-03 at 07:23:06ID: 32908360

FYI I had the exact problem on my windows 2000 domain controller (and DNS server). Editing the registry key works a charm.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...