The U.S. Computer Emergency Readiness Team (US-CERT) issued an alert this week, warning of a “domain name collision” bug, causing certain DNS queries to be resolved on public instead of private or enterprise servers, exposing organizations to Man-in-the-Middle (MitM) attacks.
The Department of Homeland Security (DHS) agency warned that DNS queries using the Web Proxy Auto-Discovery protocol (WPAD) in combination with newer, publicly registered generic top-level domains, could result in queries being erroneously resolved on a public server. This is especially the case when an organization's employee connects a work computer to a home or external network that does not support said organization's WPAD configurations. According to US-CERT, “Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.”
WPAD is enabled by default in Windows and on Internet Explorer, and is supported by the other major operating systems and browsers. The US-CERT alert includes recommendations to defend against this vulnerability.