Bug 13202 - wpad and isatap dns field registration
wpad and isatap dns field registration
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.7.4
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-03 13:20 UTC by Denis Cardon
Modified: 2018-01-03 13:20 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2018-01-03 13:20:31 UTC
Since MS-AD 2k3, registration of wpad and isatap DNS entries is blocked by default through a registry setting.

https://support.microsoft.com/en-us/help/968732/changes-to-dns-server-behavior-after-you-install-the-security-update-f

It prevent a rogue workstation joined with the name WPAD or ISATAP to MITM the web traffic of application configured with automatic proxy connection discovery, like internet explorer for example. I guess it is more problem on MS-AD where an authenticated user could join 10 workstations to the domain. 

On Samba4-AD there is no such protection.