[Unbound-users] preventing host lookup/reply
alex at digriz.org.uk
Sat Feb 19 11:54:11 CET 2011
Chris Smith <fixie at chrissmith.org> wrote:
> Specifically in this case I want to prevent wpad.<whatever> lookups.
> Seems I can refuse to answer the query with:
> local-zone: "wpad.<whatever>." refuse
> or send effectively invalid information:
> local-data: "wpad.<whatever>. A 127.0.0.1" - or via a stub-zone auth
> server (nsd) method
If 'wpad.example.com' does not actually have an A/AAAA/CNAME record,
then what are you trying to do? I do not think unbound supports
wildcard blocking (ie. 'wpad.*') either; I think to do this you would
have to look to the python hooks to help you out.
> Is one more effective than the other? Does a refusal effectively stop
> further inquiries from the client? Or would it free up the client
> sooner, longer or more effectively to send it the localhost address?
The client should make a WPAD lookup once per HTTP session, if it is
configured to 'automatically detect proxy settings'.
Returning REFUSED/NXDOMAIN will have no effect on the rate of queries.
> Is one possibly more effective against a rogue DNS server on the
> network? Or against a rogue system with a hostname of wpad (maybe
> advertising itself via NetBIOS - hopefully static wins entries prevent
> this - or some other method)?
You can configure, via DHCP, for clients to disable NetBIOS over TCP/IP.
As for rogue DHCP/DNS servers, check to see if your network hardware
supports "dhcp snooping"/"arp inspection"/"switchport protection" or
whatever the non-Cisco equivalent might be.
What is it you are trying to achieve? I'm curious about how you think
blocking WPAD lookups will help you get closer to your goal? Maybe it
is just the wording, but it seems you are attempting to obliterate every
byte of supposedly unwanted traffic on the local network?
WPAD (if you do not know) is how many systems automatically hunt for
proxy servers...which is a *good* thing. It is always handy to have a
proxy server, especially as you can use it to help your userbase get to
braindead websites that put HTTP services on ports other than 80/tcp
(means your firewalling is easier).
.sigmonster says: Campbell's Law:
Nature abhors a vacuous experimenter.
More information about the Unbound-users