YD_IT_Guy
asked on
Allow ISATAP and WPAD in OpenDNS Whitelist?
I have recently implemented OpenDNS web content filtering at all of my company's retail locations. I've chosen to use their Whitelist available with the Enterprise package to limit access. Choosing this method required us to compose a list not only of sites they will need to browse but sites necessary for all related technology to function and update.
In monitoring the blocked domains I have found a number of isatap.<domain> and wpad.<domain> entries. I have researched these but I have not yet found anything which can assure me that it will be safe to allow them. OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.
This may be a silly question for you networking gurus, but I am not yet there and would really appreciate some help understanding this. Thanks!
In monitoring the blocked domains I have found a number of isatap.<domain> and wpad.<domain> entries. I have researched these but I have not yet found anything which can assure me that it will be safe to allow them. OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.
This may be a silly question for you networking gurus, but I am not yet there and would really appreciate some help understanding this. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
More specifically, could allowing WPAD.<domain> potentially allow access to restricted sites via proxy? If this is not a danger, I would prefer to allow wpad and isatap.
The danger would be if someone your domain's DNS server was victim to hijacking or cache poisoning. In that event,va bad guy could create an entry for wpad.domain>, which would then point your users browsers to some bogus proxy server that could , for example, redirect all sites to something completely different.
So, blocking resolution of wpad and isatap is probably advisable.
So, blocking resolution of wpad and isatap is probably advisable.
ASKER
Understood, I appreciate your explaining this further. We will continue to block these via OpenDNS until we create a hosts file to push out to locations.
Thanks again!
Thanks again!
ASKER
Thank you for your help!