13202 – wpad and isatap dns field registration

Bug 13202 - wpad and isatap dns field registration

Summary: wpad and isatap dns field registration

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.13.3
Hardware:	All All

Importance:	P5 critical (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-03 13:20 UTC by Denis Cardon
Modified:	2020-12-29 11:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2018-01-03 13:20:31 UTC

Since MS-AD 2k3, registration of wpad and isatap DNS entries is blocked by default through a registry setting.

https://support.microsoft.com/en-us/help/968732/changes-to-dns-server-behavior-after-you-install-the-security-update-f

It prevent a rogue workstation joined with the name WPAD or ISATAP to MITM the web traffic of application configured with automatic proxy connection discovery, like internet explorer for example. I guess it is more problem on MS-AD where an authenticated user could join 10 workstations to the domain. 

On Samba4-AD there is no such protection.