Systems Affected

Windows, OS X, Linux systems, and web browsers with WPAD enabled

Overview

Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program’s incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions with internal network naming schemes [2] [3]. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.

See the entire Alert with recommended solutions at https://www.us-cert.gov/ncas/alerts/TA16-144A.

Hope this helps some.

Am I the only one to find one of the recommended mitigation techniques a bit odd?

The issue itself is pretty straightforward: New TLDs means risk of name collision between previously invalid domain names used internally by some organizations and domains under one of the new TLDs, which again could cause (mobile) devices to request a WPAD file from the wrong server.

The first recommendation, to disable WPAD in all browsers, would certainly work, but may not be feasible in all environments. Further down the list we find these suggestions:...which I'd consider as belonging in the "well, duh!" category. But then there's this:Now, isn't that the exact scenario that's causing name collision issues in the first place? I'm guessing they mean "consider using a FQDN that you own and control from global DNS as the root", but that's not what it actually says.

If ICANN would simply declare one or more TLDs as "private", we could use those and avoid all name collisions in the future. RFC 2606 already declares four TLDs as reserved for testing and documentation purposes, so why not add one or more for private use?