Solved

Allow ISATAP and WPAD in OpenDNS Whitelist?

Posted on 2012-04-11
5
1,062 Views
Last Modified: 2012-04-12
I have recently implemented OpenDNS web content filtering at all of my company's retail locations.  I've chosen to use their Whitelist available with the Enterprise package to limit access.  Choosing this method required us to compose a list not only of sites they will need to browse but sites necessary for all related technology to function and update.

In monitoring the blocked domains I have found a number of isatap.<domain> and wpad.<domain> entries.  I have researched these but I have not yet found anything which can assure me that it will be safe to allow them.  OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.

This may be a silly question for you networking gurus, but I am not yet there and would really appreciate some help understanding this.  Thanks!
0
Comment
Question by:YD_IT_Guy
  • 3
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
BudDurland earned 500 total points
ID: 37836732
Both ISATAP and WPAD are used by computer to search for additional configuration options.  When a browser starts, it will look for wpad.<domain>, and if found, will fetch from that host any corporate required proxy settings.  ISATAP is used, I beleive, for IPV6 settings.  I would not whitelist these entries, to avoid having them hijacked.  If you are very concerned, add an entry for each to the computers HOSTS file, pointing to 127.0.0.1
0
 

Author Comment

by:YD_IT_Guy
ID: 37838263
Thank you.  Your answer is what I needed and your solution is professional.  However, I feel the danger of hijacking is nil and blocking via hosts file is laborious with this number of remote machines.  If hijacking is not a concern of mine, would you see a problem adding them to the whitelist just to get them off my blocked domains report? Otherwise, I would probably continue with them being blocked in this fashion.

Thank you for your help!
0
 

Author Comment

by:YD_IT_Guy
ID: 37838961
More specifically, could allowing WPAD.<domain> potentially allow access to restricted sites via proxy?  If this is not a danger, I would prefer to allow wpad and isatap.
0
 
LVL 17

Expert Comment

by:BudDurland
ID: 37840708
The danger would be if someone your domain's DNS server was victim to hijacking or cache poisoning.  In that event,va bad guy could create an entry for wpad.domain>,  which would then point your users browsers to some bogus proxy server that could , for example, redirect all sites to something completely different.

So, blocking resolution of wpad and isatap is probably advisable.
0
 

Author Comment

by:YD_IT_Guy
ID: 37840742
Understood, I appreciate your explaining this further.  We will continue to block these via OpenDNS until we create a hosts file to push out to locations.

Thanks again!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 5508 controller parsing error 4 56
Looking for open port with Telnet 5 56
IIs Windows 2008 HTTPS no access 4 29
options for ipv4 failover 2 25
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now