Client software that is configured to use Web Proxy Automatic Discovery (WPAD) must be able to contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can use several methods to locate a host that contains a Wpad.dat file. Two of these methods require a WPAD entry to be registered in Domain Name System (DNS) or in Windows Internet Naming Service (WINS). Registering a WPAD entry in DNS or in WINS enables clients to resolve names of hosts that contain proxy automatic configuration files.
If an entity can surreptitiously register a WPAD entry in DNS or in WINS, and this entry resolves to a host with a malicious Wpad.dat file, WPAD clients may be able to route their Internet traffic through a malicious proxy server.
Network administrators who have not already registered legitimate WPAD entries in DNS or in WINS, and network administrators who have not correctly implemented WPAD through DHCP and Option 252, must reserve static WPAD DNS host names and WPAD WINS name records. By doing this, network administrators help prevent possible malicious registrations.
Back to the top
To reserve static DNS host names and WINS name records for WPAD, and to reserve other names that you may want to block, follow these steps.
Back to the top
DNS
To register a reserved name host entry in DNS, you must register the host name without registering an IP address. Use either of the following methods, as appropriate for your situation.
Method 1: Use the DNS Management Console
| 1. |
Open the DNS Management Console. |
| 2. | Right-click the zone that corresponds to the appropriate search domain, and then click Other New Records. |
| 3. | In the Select a resource record type list, select Text (TXT).
|
| 4. | Click Create Record. |
| 5. | In New Resource Record, type the reserved name in the Record Name box.
For example, if you want to reserve the name "WPAD," type WPAD in the Record Name box. |
| 6. | Click OK to add the new record to the zone. |
| 7. | Repeat steps 5 through 6 for all the other reserved names that you want to block.
|
| 8. | Repeat steps 1 through 7 for each search domain.
|
Method 2: Use commands at a command prompt
| 1. | Open a Command Prompt window.
|
| 2. | At a command prompt, type the following command, and then press ENTER: dnscmd ServerName /RecordAdd ZoneName <reserved name> TXT "" For example, if you want to reserve the name "WPAD," type the following command: dnscmd ServerName /RecordAdd ZoneName WPAD TXT "" Notes| • | You may want to enter some reference text as the data of the TXT record, such as “KB934864.” | | • | If ServerName is not specified, the local computer will be used.
|
|
| 3. | Repeat step 2 for all the other reserved names that you want to block.
|
| 4. | Repeat steps 1 through 3 for each search domain.
|
Back to the top
WINS
To register a reserved name record in WINS, you must register both the name and the qualified name. (A qualified name is a name that is followed by a period (.) character.) For example, to register the reserved "WPAD" name record in WINS, you must register both of the following names:
When you register both the name and the qualified name, the following conditions are true:
| • | All reserved name registrations are blocked. |
| • | WINS is prevented from replying to WINS clients that request reserved name record resolution. |
WPAD example
Use the following procedure for the "WPAD" reserved name as a model, and complete the steps for the following items:
| • | Every WINS server |
| • | Every reserved name, such as the "WPAD" reserved name |
| • | Any other names that you want to block |
| 1. | Open the WINS Manager. |
| 2. | Create a statically-assigned Internet group that is named "WPAD" with a single IP address of 0.0.0.0. |
| 3. | Click Apply. |
| 4. | Remove the address, and then click Apply.
You now have a multi-record entry in WINS that has no records. |
| 5. | Create a statically-assigned Internet group that is named "WPAD." with a single IP address of 0.0.0.0. |
| 6. | Click Apply. |
| 7. | Remove the address, and then click Apply.
You now have a multi-record entry in WINS that has no records. |
Note These changes do not replicate. Therefore, you must repeat steps 1 through 7 on every WINS server that is in your organization.
Back to the top
