Am I the only one to find one of the recommended mitigation techniques a bit odd?
The issue itself is pretty straightforward: New TLDs means risk of name collision between previously invalid domain names used internally by some organizations and domains under one of the new TLDs, which again could cause (mobile) devices to request a WPAD file from the wrong server.
The first recommendation, to disable WPAD in all browsers, would certainly work, but may not be feasible in all environments. Further down the list we find these suggestions:
Quote:
- Configure internal DNS servers to respond authoritatively to internal TLD queries.
- Configure firewalls and proxies to log and block outbound requests for wpad.dat files.
|
...which I'd consider as belonging in the "well, duh!" category. But then there's this:
Quote:
- Consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.
|
Now, isn't that the exact scenario that's causing name collision issues in the first place? I'm guessing they mean "consider using a FQDN
that you own and control from global DNS as the root", but that's not what it actually says.
If ICANN would simply declare one or more TLDs as "private", we could use those and avoid all name collisions in the future. RFC 2606 already declares four TLDs as reserved for testing and documentation purposes, so why not add one or more for private use?