DNS Resolution – with & without Proxy
If you configure IE with an explicit proxy:
1. When the user enter www.itzecurity.in
2. IE checks the address for a string match against the IE proxy exceptions list (i.e. "Bypass proxy for these addresses:")
3. If it matches an entry in the bypass list, the client uses its DNS to resolve the name, and then the client connects directly to the target IP address on port 80 (assumed), then sends a request like:
GET /index.html HTTP/1.1
Host: www.itzecurity.in
and that's the end of it for a matching entry.
If no bypass list entries match, continue:
4. IE connects to its configured proxy, and sends a request of the form:
GET https:// www.itzecurity.in/index.html HTTP/1.1.
This use of the FQDN as the URL is one way you can tell that a client thinks it's talking to a proxy instead of a real web server.
5. The proxy then resolves the host name using its own DNS, connects to the target site, etc, etc
When using WPAD/PAC:
In the case of using a WPAD or Auto configuration script (such as provided by ISA/TMG when auto configuration is enabled), it's different:
· User types an address
· Client downloads the current wpad.dat/autoproxy.js/.pac file from its configured location.
· Client looks for the entry point "FindProxyForUrl" in the js file, and executes it
· The Autoproxy script processes the hostname and URL. This is a limited-function javascript file, but lots of things are still possible:
1. this may include name resolution (IsInNet, DnsResolve)
2. this may include string matching (ShExpMatch)
3. this may include counting to a million (i++)
4. this may include narky alert popup messages if the admin's a jerk (or just funny (or debugging))
· The FindProxyForUrl function returns at least one string: an ordered list of the best proxies to use (semicolon separated)
1. either "DIRECT", in which case the client then needs to resolve the name itself, as per the bypass case above
2. or "PROXY proxyname:8080" or similar, in which case the client connects to that port on the proxy, tells it to GET the full URL, and the proxy performs name resolution.
· As an example: if the script function returned "PROXY yourProxy:8080; DIRECT" that tells the client to connect to yourproxy on TCP port 8080 to request this URL, and if that connection can't be established, just try going direct.
· Note that TCP session setup failure isn't exactly quick, so this isn't likely to be a pleasant failover experience for a user, but beats nothing.