Solved

WPAD host record and cname records not answering

Posted on 2009-05-19
29
10,402 Views
Last Modified: 2016-08-03
Hi Experts.

Trying to implement the Proxy Auto Configuration on a W2003 AD environment.
I think I have all the steps pretty clear, but I am stuck on some annoying situation that probably is something that I am missing.
I created a GPO that enables the "Auto Configuration" on my computer.
I created a proxy.pac file that configures my Proxy settings depending on the IP of my laptop (office range or VPN range > Proxy / others > No Proxy).
I pasted this file (renamed as "wpad.dat") to the root of my internal IIS web server.
I created an alias (cname) record on my DNS server named "wpad" pointing to the IIS server FQDN.
Problem: after 30 minutes, the PING WPAD still times out, EVEN from the DNS server itself.
I should have been missing really basic here....
After many tries (flush dns, etc...) I deleted the CNAME record, and created a HOST record, pointing to the IP of the IIS internal server.
Same issue: after many tries, the PING WPAD is still timing out.
Everything else seem to be working fine, but I just can not ping the wpad record (the ping to the IIS server itself, or even to a DIFFERENT CNAME record that was pointing to the same server are working just fine.

Any clue??

One last question regarding the PAC file itself:

My idea is to deploy a PAC file like this:
#################################################
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "172.16.2.0", "255.255.255.0"))
if (isInNet(myIpAddress(), "172.16.20.0", "255.255.255.0"))
if (isInNet(myIpAddress(), "10.251.0.0", "255.255.248.0"))
return "PROXY 145.47.86.151:8080";
else
return "DIRECT";
}
##################################################
Where ("172.16.2.0", "255.255.255.0") and ("172.16.20.0", "255.255.255.0") are my two sites IP ranges and ("10.251.0.0", "255.255.248.0") is my VPN IP range.

Should I expect any problem with the VPN IP range? I mean, how the "FindProxyForURL(url, host)" function handles the fact that you have an IP (home Internet connection, hotel Internet connection, AirCard, etc...) and then you build a VPN tunnel that has a NEW IP address on top of that first one? Would this script work to enable the Proxy to those VPN users?

Thanks in advance guys.
0
Comment
Question by:HUSATech
  • 14
  • 13
  • +1
29 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You should be able to lookup wpad, provided your client is querying the DNS server holding the record. Can you direct a query at the DNS server itself with "nslookup wpad somednsserver"?

The isInNet bases its response on the connecting IP Address. So if you have a VPN tunnel it should base it on the IP of the VPN interface as that would be forming the connection to the Proxy. Using it wpad / proxy.pac here over several VPN connections without having to consider anything about the client's local network.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Thanks for the advise, Chris. But this is getting more interesting:

As explained, I created an alias, CNAME record on my DNS, named "wpad" and pointing to the FQDN of my internal IIS server. In the exact same way as another alias I already have named "windowsupdate" pointing to the same server.

#############################################################
C:\>ping wpad
Ping request could not find host wpad. Please check the name and try again.

C:\>nslookup wpad <DNSServer1>
Server:  <DNSServer1>.domain.net
Address:  <IPofDNSServer1>

*** <DNSServer1>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer2>
Server:  <DNSServer2>.domain.net
Address:  <IPofDNSServer2>

*** <DNSServer2>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer3>
Server:  <DNSServer3>.domain.net
Address:  <IPofDNSServer3>

*** <DNSServer3>.domain.net can't find wpad: Non-existent domain

C:\>nslookup wpad <DNSServer4>
Server:  <DNSServer4>.domain.net
Address:  <IPofDNSServer4>

*** <DNSServer4>.domain.net can't find wpad: Non-existent domain

################################################


BUT if I do the same using another alias already existing that points to the SAME server, I get this:


###############################################

C:\>nslookup windowsupdate <DNSServer4>
Server:  <DNSServer4>.domain.net
Address:  <IPofDNSServer4>

Name:    <TargerServerName>.domain.net
Address:  <IPofTargetServer>
Aliases:  windowsupdate.domain.net

########################################################

At this point I am not sure if I am missing something really basic or if I should be worried about some wrong DNS behavior...

Any clue?? Thanks in advance.
0
 

Author Comment

by:HUSATech
Comment Utility
I just got this from MS:

"This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct make sure that a reverse lookup zone exists and contains PTR records for the name servers."

Checked the PTR records, and there IS a PTR record for the target server which the CNAME record is pointing to.....

Any help is appreciated. Thanks again.
0
 

Author Comment

by:HUSATech
Comment Utility
BTW, there obviously are PTR records also for all the DNS servers in the Reverse Zone ....
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> nslookup wpad <DNSServer1>

Odd, can you try by FQDN? e.g.

nslookup wpad.domain.net <DNSServer1>

I assume the WPAD entry is in the same zone? And that the client has a DNS Suffix for the domain it's expected to search?

> I just got this from MS:

Out of context, that refers to instances where you get this:

C:\>nslookup windowsupdate <DNSServer4>
Server:  UnKnown
Address:  <IPofDNSServer4>

And an error message. It's trying to populate the Server label and failing. That isn't a problem here, it's past that bit.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Thanks again, Chris.

C:\>nslookup wpad.domain.net <DNSServer1>
Server:  <DNSServer1>.domain.net
Address:  <IPOfDNSServer1>

*** <DNSServer1>.domain.net can't find wpad.domain.net: Non-existent domain

????
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

There has to be something wrong with the record.

Any change you can post a screen shot of it?

There aren't any other CNAME records for wpad are there? Unlikely but...

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Hi Chris, the screen shot of the CNAME record is an option, but after hiding all the sensitive info, there is nothing really to check... I can tell you it has the same settings that the other CNAME pointing to the same server, and I actually selected the target server using the Browse option during the CNAME record creation....
There is no other wpad registry in the DNS server at all.
I am running out of ideas....
What would you like to check on the record itself?
0
 

Author Comment

by:HUSATech
Comment Utility
I think I have found something here, from the DNS event viewer:

####################################

The global query block list is a feature that prevents attacks on your network by  blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.noam.heiway.net. even though data for  this DNS name exists in the DNS database. Other queries in all locally  authoritative zones for other names that begin with labels in the block list  will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
 
Below is the current global query block list  (this list may be truncated in this event if it is too long):
wpad
isatap.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

########################################################

So at least I know the reason behind this weird issue, but the questions now are:

- I think what I am trying to do is something pretty usual, and actually it is well-known way to get the Proxy settings deployed to my clients.... Am I the only one experiencing this issue? or did I miss some extra step to solve this "by default" setting?
- Is there any known workaround for this?

Thanks again in advance.

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> Am I the only one experiencing this issue?

No, I don't think you will be.

I used WPAD in my last company and use it in my current without any configuration beyond adding the record and ticking the "automatic configuration" box in IE / Firefox.

But there's this, which is clearly responsible for the failure...

> The global query block list

I've not heard of this before, but my DNS servers are 2003 rather than 2008. This one is quoted as being a feature of 2008. Is that the case here?

Documentation for it is here:

http://technet.microsoft.com/en-us/library/cc794902.aspx

It looks like you can enable it, disable it, view the list and add. To remove items from the list it appears you would have to flush it entirely then re-add any entries you wanted to preserve (just isatap. perhaps).

It's all configurable with DNSCMD at least so should be up easy enough to modify :) Want the commands?

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
My DNS servers are for sure Windows 2003.
BUT what I am not that sure, is if the parent domain (this company domain is a child domain from a parent international bigger one) has deployed some Windows 2008 DNS servers out there that are creating these issues.
I will check this out and will definitely update here.
Thanks for the info, Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Do your network clients use only your own DNS servers? It's odd that it's logging that event in the logs on the 2003 servers if the feature isn't available.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Well, our domain DNS servers have configured some DNS forwarders: two internal DNS servers from the parent domain that are used when trying to solve any IP internal to the enterprise network IP ranges, and also two external DNS servers from the ISP provider that are used when trying to solve any Internet name, (since there was no Proxy in place).

After the deployment of the Proxy settings to everyone (what I am actually trying to do), these external DNS forwarders servers could be removed.

Any idea about where this could come from??
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Well it can't hurt to have a look and see what the DNS server thinks about the block list.

Perhaps run:

dnscmd <ServerName> /info /globalqueryblocklist

At worst it'll say "eh?".

Chris
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:HUSATech
Comment Utility
Different way of saying "eh?":

C:\>dnscmd <DNSServer1> /info /globalqueryblocklist
Info query failed
    status = 9553 (0x00002551)

Command failed:  DNS_ERROR_INVALID_PROPERTY     9553  (00002551)
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Figures ;)

It's odd that it managed to log the error into the event log on that server if it can't control the feature.

It's definitely not 2008? :)

It has registry entries associated with it, they're here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Would be worth having a quick look for those.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
It is definitely not a Windows 8 server ;-) it is a Windows 2003 server.

BUT it DOES have that registry key, REG_MULTI_SZ, with the two strings in there: wpad isatap

At this point, it looks like these values were always there, and this has nothing to do with Windows 8...

May this be a Global Policy being pushed from the parent domain to our DNS servers?? I will check that.

The remaining questions I guess are:

a) If I remove the wpad string, would then work? (easy to check)
b) If I remove the wpad string, would the GPOs put it back during the next GPO update? (also easy to check)

Actually I am going to check it right now.... will update soon.

Thanks again, Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

a) Yes, you're likely to need to restart the DNS Service.
b) I wouldn't be surprised.

Perhaps run "rsop.msc" and see if a policy is pushing that onto your machine?

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
I can not see any policy being pushed, but not completely sure though.
Have you ever heard of this feature and the corresponding registry key being configured on Windows 2003 DNS servers?

I just removed the wpad from all my DNS servers registry entries and restarted the DNS Server services on those servers. The ping is working perfectly from all the DNS servers and from my own client.

I am going to wait to see if the changes are pushed back by any GPO, but for now, I will move forward with my tests about the Proxy Auto Configuration settings.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> Have you ever heard of this feature and the corresponding registry key
> being configured on Windows 2003 DNS servers?

No, but I'm going to try it tomorrow and see if it can be enabled this way. I only have 2008 on my server here (at home).

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

If you get a moment, could you grab the version number from %SystemRoot%\System32\DNS.exe?

Haven't been able to reproduce this on 2003 so far, seeing if I can find a newer version of DNS.exe.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Well there we go.

It looks like Windows 2003 has that feature (although not documented) if you happen to be running version "5.2.3790.4460" of dns.exe. The previous version, released last year doesn't have it.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Bingo.

I just checked. It is exactly that one: 5.2.3790.4460

How is it possible this features are not documented? I guess this has some significant impact, since what I am trying to do it is not that exceptional, right?

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
Comment Utility

I couldn't say why it's not documented, I keep looking around to see if I can find any. It's not in the KB associated with the release of that version.

http://support.microsoft.com/kb/961063

By default it is disabled, or I would have noticed it on my production servers as well. I think you only suffer because of the apparently undocumented feature and the registry entries for it being pushed out. An unlucky combination more than anything else.

Chris
0
 

Author Comment

by:HUSATech
Comment Utility
Hey Chris, I will move on to the next step (basically make my proxy script work...), but I would say this question has been fully solved. Thanks for your help!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

No worries, good luck with the script :)

Chris
0
 

Author Closing Comment

by:HUSATech
Comment Utility
Thanks Chris.
0
 
LVL 10

Expert Comment

by:cjrmail2k
Comment Utility
FYI I had the exact problem on my windows 2000 domain controller (and DNS server). Editing the registry key works a charm.
0
 

Expert Comment

by:Member_2_7970327
Comment Utility
Hi,

I had the same issue. I found out that the 'DNS block list' feature of Microsoft DNS server caused the problem. You gotta remove the wpad entry from DNS block list. Steps to do that:

https://technet.microsoft.com/en-us/library/cc995158.aspx

And make sure to follow Technet articles to set up wpad.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now