Allow ISATAP and WPAD in OpenDNS Whitelist?

I have recently implemented OpenDNS web content filtering at all of my company's retail locations.  I've chosen to use their Whitelist available with the Enterprise package to limit access.  Choosing this method required us to compose a list not only of sites they will need to browse but sites necessary for all related technology to function and update.

In monitoring the blocked domains I have found a number of isatap.<domain> and wpad.<domain> entries.  I have researched these but I have not yet found anything which can assure me that it will be safe to allow them.  OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.

This may be a silly question for you networking gurus, but I am not yet there and would really appreciate some help understanding this.  Thanks!
YD_IT_GuyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BudDurlandDirector of ITCommented:
Both ISATAP and WPAD are used by computer to search for additional configuration options.  When a browser starts, it will look for wpad.<domain>, and if found, will fetch from that host any corporate required proxy settings.  ISATAP is used, I beleive, for IPV6 settings.  I would not whitelist these entries, to avoid having them hijacked.  If you are very concerned, add an entry for each to the computers HOSTS file, pointing to 127.0.0.1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YD_IT_GuyAuthor Commented:
Thank you.  Your answer is what I needed and your solution is professional.  However, I feel the danger of hijacking is nil and blocking via hosts file is laborious with this number of remote machines.  If hijacking is not a concern of mine, would you see a problem adding them to the whitelist just to get them off my blocked domains report? Otherwise, I would probably continue with them being blocked in this fashion.

Thank you for your help!
0
YD_IT_GuyAuthor Commented:
More specifically, could allowing WPAD.<domain> potentially allow access to restricted sites via proxy?  If this is not a danger, I would prefer to allow wpad and isatap.
0
BudDurlandDirector of ITCommented:
The danger would be if someone your domain's DNS server was victim to hijacking or cache poisoning.  In that event,va bad guy could create an entry for wpad.domain>,  which would then point your users browsers to some bogus proxy server that could , for example, redirect all sites to something completely different.

So, blocking resolution of wpad and isatap is probably advisable.
0
YD_IT_GuyAuthor Commented:
Understood, I appreciate your explaining this further.  We will continue to block these via OpenDNS until we create a hosts file to push out to locations.

Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.