WPAD, DHCP, DNS, etc


(Adam) #1

I’m doing some testing with WPAD and it seems like it’s a requirement that NS handles DHCP unless I want to mess with custom attributes in a different DHCP server - no big deal, just leave DHCP on NS.

I also noticed when I specify a DNS server other than NethServer (a Windows PDC), WPAD stops working - kind of a big deal.

I’ve tried creating the following two A records in the Windows PDC’s DNS to point the hostnames to the NethServer box:
ns-test.lan 192.168.1.1
proxy.lan 192.168.1.1

It’s still not working. Any suggestions are greatly apprecieated.

Thanks everyone! BTW, NethServer is an AWESOME product!


(Artem Fedai) #2

It is known bug :
in WPAD file it is domain name of your NS , but there should be IP address


(Adam) #3

If I change it to an IP address, the blue network doesn’t work.

Edit: I take that back. The blue network does work with the hostname changed to an IP address in the wpad.dat file. But after changing the DNS server assigned to the green zone again, WPAD stopped working again for green.


(Artem Fedai) #4

kindly look to /etc/shorewall/rules


(Adam) #5

Sorry for the confusion… see my edit above. Blue does work. Still the same issue with green zone once DNS has been changed. Even with hostname changed to IP in wpad.dat.

Here’s a screenshot showing the IP info of my test VM on the blue network. Google’s ssl site loaded and I was able to download the wpad.dat:


(Adam) #6

Here is how the proxy is setup so users don’t have to autodetect correctly for http traffic, but do for https:

And here’s a screenshot showing a vm in the green zone in my test environment not autodetecting proxy settings with dns changed even after changing the hostname in the wpad.dat to the IP:

Please let me know if there’s any other information I can provide to help get to the bottom of this. :smile:


(Artem Fedai) #7

@Adam when you make only Transparent proxy it cover only HTTP trafic, kindly look at /etc/shorewall/rules :

#
# 90squid
#
#
# Squid: accept HTTP/S traffic from/to firewall and green
#
ACCEPT  $FW     net     tcp     80
ACCEPT  loc     $FW     tcp     80
ACCEPT  loc     $FW     tcp     443
?COMMENT transparent proxy on green for port 80
REDIRECT        loc     3129    tcp     80      -       !10.1.1.11,16.16.16.1
#
# Squid: accept HTTP/S traffic from/to firewall and blue
#
ACCEPT  $FW     net     tcp     80
ACCEPT  blue    $FW     tcp     80
ACCEPT  blue    $FW     tcp     443
ACCEPT  blue    $FW     tcp     3128
ACCEPT  blue    $FW     tcp     3129
ACCEPT  blue    $FW     tcp     3130
?COMMENT transparent proxy on blue for port 80
REDIRECT        blue    3129    tcp     80      -       !10.1.1.11,16.16.16.1

when you seting up Transparent + SSL it cower BOTH proto , there is apear such config at /etc/shorewall/rules :

#
# 90squid
#
#
# Squid: accept HTTP/S traffic from/to firewall and green
#
ACCEPT  $FW     net     tcp     80
ACCEPT  loc     $FW     tcp     80
ACCEPT  loc     $FW     tcp     443
?COMMENT transparent proxy on green for port 80
REDIRECT        loc     3129    tcp     80      -       !10.1.1.11,16.16.16.1
?COMMENT transparent proxy on green for port 443
REDIRECT        loc     3130    tcp     443     -       !10.1.1.11,16.16.16.1
#
# Squid: accept HTTP/S traffic from/to firewall and blue
#
ACCEPT  $FW     net     tcp     80
ACCEPT  blue    $FW     tcp     80
ACCEPT  blue    $FW     tcp     443
ACCEPT  blue    $FW     tcp     3128
ACCEPT  blue    $FW     tcp     3129
ACCEPT  blue    $FW     tcp     3130
?COMMENT transparent proxy on blue for port 80
REDIRECT        blue    3129    tcp     80      -       !10.1.1.11,16.16.16.1
?COMMENT transparent proxy on blue for port 443
REDIRECT        blue    3130    tcp     443     -       !10.1.1.11,16.16.16.1

(Artem Fedai) #8

So maybe linux mashines doesnot want to add WPAD file for provisioning, Windows client work like a charm.


(Adam) #9

Everything works fine with DHCP telling clients to use NS for DNS. WPAD doesn’t work when I change to different DNS. Why?


(Adam) #10

You’re right. I just tested with a Windows 7 VM and it works fine.

However, it seems like this line of /etc/e-smith/templates/etc/dnsmasq.conf/25wpad is causing a reliance on DNS rather than specifying the IP:

`$OUT.="dhcp-option=252,http://$SystemName.$DomainName/wpad.dat\n\n\n";`

I’m not sure why manually pointing the hostname in an A record in whatever DNS server the client is using doesn’t resolve it, but either way, shouldn’t this as well as the contents of the wpad.dat file be changed to an IP address rather than hostname?

Edit: another point worth mentioning is that while the browser does work in Windows, Windows Update does not work. So there’s obviously still an issue; likely the issue is what I stated above.


(Artem Fedai) #11

in your screenshot there is 8.8.8.8 DNS , in your network you should use NS ip for DNS it is very strict because your internal domain like lan or somth you choose would not be resolved.


(Adam) #12

But I want to use NS as a router/UTM in a domain environment where it’s important that DNS points to the domain controller(s).


(Gabriel GHEORGHIU) #13

Hi Adam,

In a domain environment, it’s better that DHCP to be on DC server.

In this case, NS will act as Router/UTM, will give DHCP only for BLUE, and for LAN (GREEN), the DC Server will provide DHCP. I think this is the best way (I always use this configuration).


(Adam) #14

I do too. I thought I’d change that standard practice because of the additional DHCP attributes for WPAD that NS handles out of the box. The problem is that it doesn’t seem to handle them correctly.

I suppose it wouldn’t be a big deal to add the 252 wpad attribute pointing to NS by IP. I’ll do some testing with that setup when I get a chance. Although it wouldn’t be a bad idea to fix this issue in NethServer.


(Gabriel GHEORGHIU) #15

Hi Adam,

If I understand well, your real problem was described here:

If yes, I have the same issue.


(Artem Fedai) #16

@GG_jr and @Adam it is you chance to make great contribution to NS , make test for all cases, make config for WPAD and dnsmasq and then Dev team update package.


(Gabriel GHEORGHIU) #17

Hi Nas,

I’m not so sure that we speak about the same things.

If is about how different browsers (IE, Mozilla, Chrome) uses the proxy settings, then is a combination between how to set Web Proxy on NS and proxy settings on browsers.

I have tried some combinations but I have obtained only a headache.
If something works on IE/Chrome, doesn’t work on Mozilla and vice versa.

For example: if I use for Proxy: Transparent & Block HTTP and HTTPS ports, with Mozilla (Ubuntu) I cannot reach https sites, only http, regardless of browser proxy settings. If I use only Transparent, I can reach all sites but only http sites are logged on Lightsquid.

After a while I was totally lost …

I thing something is wrong with the module and/or how is explained in Help.
I’m not sure and I don’t want to make false statements till I will test again.

I will try to do those tests again, in “more professional manner” if I can say this and more documented. I hope that will help.


(Adam) #18

In stock form, using NethServer for DNS and DHCP, if you use the settings that you show in that screenshot, everything should work in the green zone…except you may want to block HTTP and HTTPS ports so the browser will not bypass proxy for HTTPS if it doesn’t autodetect. The only issue is that FireFox does not come set to automatically detect proxy settings by default. By default, it’s set to use system proxy settings, which do not auto detect properly.

The only issues I had was once I started using a different DNS and/or dhcp server.


(Adam) #19

I setup a Server 2012 R2 VM on my green zone, disabled DHCP on NS, and enabled DHCP and DNS on the Server 2012 VM. After creating the following wpad DHCP option(as well as setting the path in the wpad.dat to use IP rather than hostname), everything appears to be working in the Windows 7 VM (including Windows Update and other system services).

However, Firefox on the Windows 7 VM doesn’t work and the Ubuntu VM doesn’t work. I found this: http://findproxyforurl.com/common-wpad-issues/

So it appears that a DNS wpad entry is required. Server 2012 ignores wpad queries by default for security, so the following command needs to be run to remove that block:

dnscmd /config /globalqueryblocklist

Note: this command clears all blocks. By default there are two: wpad and isatap. To remove wpad and keep isatap, run the following command instead:

dnscmd /config /globalqueryblocklist isatap

Once that was done, I created an A record to point the hostname wpad to the NS IP…but still had issues. Once I modified the 015 “DNS Domain Name” DHCP attribute and added the local domain name of “lan.local”, everything started working. I believe I had to do that because I setup DHCP on this test server before creating the domain. It would normally be setup automatically.

Two things that I can take away from this testing experience:

  1. Use NethServer for DNS and DHCP if at all possible if you plan on using WPAD to avoid this headache

  2. WPAD should be setup to use IP address rather than hostname. Everything routes properly using IP address and it would prevent even more DNS entries from being created.


(Adam) #20

For the sake of testing, I went ahead and changed the wpad.dat back to referencing a hostname so I would know what’s involved to make it work.

By default, the wpad.dat file references proxy.domain, not the actual hostname of NethServer. So I added an A record to the Windows DC to point that hostname to the IP of NethServer… It didn’t work.

So I added another A record of the actual hostname, which in my case is “ns-test”, pointing to the NS IP. It still didn’t work. I had the domain in NS set to “lan” when my DNS domain suffix is lan.local. So I changed the domain in NS to lan.local and then everything worked… for Windows. Ubuntu can resolve “proxy” but cannot resolve “proxy.lan” or “proxy.lan.local”. Any ideas?

Edit: I gave up trying to make it work. Everything works perfectly by changing the hostname in the wpad.dat to the IP address. Is there any way that can be the permanent setting rather than a hostname? I don’t see any downside to changing it. It would only be beneficial and I’m not the only one who has had issues with the current use of a hostname.

Edit2: changed this thread type to “bug” since I view this issue as a bug that can be easily resolved.