In corporate networks utilizing proxy servers, the WPAD (Web Proxy Auto-Discovery Protocol) is a helpful feature to automatically distribute proxy settings to clients. However, many administrators notice that a DNS record for “wpad” does not work by default on Windows Server DNS. Why is this the case, and how can you enable it? In this article, we’ll explain the background and provide a step-by-step guide to resolve this issue.

Why Is the ‘wpad’ DNS Record Disabled by Default?#

Windows Server DNS services disable the “wpad” name by default for security reasons. This precaution was introduced to prevent WPAD spoofing attacks.

WPAD spoofing occurs when an attacker registers a malicious WPAD server in a network to intercept traffic and potentially extract sensitive information, such as usernames, passwords, or confidential data. Microsoft has therefore decided to block the WPAD record in DNS service configurations by default.

This means that even if you create a “wpad” DNS record, it will be ignored by the DNS server unless the security policies are manually adjusted.

How to Enable the WPAD Record on Windows Server DNS#

To enable the WPAD name on a Windows Server, you need to adjust the security settings. Follow these steps:

1. Check if ‘GlobalQueryBlockList’ Is Active#

The blocking of “wpad” is controlled by the GlobalQueryBlockList. This list typically includes “wpad” and other entries deemed potentially unsafe.

  1. Open the Command Prompt as an Administrator.

  2. Enter the following command to view the current blocklist:

    dnscmd /info /GlobalQueryBlockList

    Example output:

    Global Query Block List:
wpad isatap

    If “wpad” is in the list, the DNS record is being blocked.

2. Remove ‘wpad’ from the Blocklist#

To remove “wpad” from the GlobalQueryBlockList, perform the following steps:

  1. Run this command to remove “wpad”:

    dnscmd /config /GlobalQueryBlockList wpad

    Alternatively, to clear the entire blocklist (not recommended):

    dnscmd /config /GlobalQueryBlockList

  2. Restart the DNS service to apply the changes:

    Restart-Service DNS

3. Create the WPAD DNS Record#

  1. Open the DNS Manager on the Windows Server.
  2. Navigate to the desired zone (e.g., “mycompany.local”).
  3. Create a new A record (Host record):
    • Name: wpad
    • IP Address: (the IP address of the web server hosting the WPAD file)
  4. Confirm the creation.

4. Host the WPAD File#

Ensure the web server specified in your DNS record serves the wpad.dat file in its root directory. For example:

  • URL of the file: http://wpad.mycompany.local/wpad.dat

Security Considerations When Enabling WPAD#

While WPAD is convenient, it does introduce risks. Consider the following security measures:

  1. Use WPAD only in trusted networks: Enable WPAD only in networks with strict access controls.
  2. Host the WPAD file securely: Serve the wpad.dat file over HTTPS to prevent tampering.
  3. Use DNSSEC: Protect your DNS records from spoofing by enabling DNSSEC.
  4. Restrict scope: Use WPAD only for internal networks and avoid public domains.

Conclusion#

The blocking of the “wpad” record in Windows Server DNS is a thoughtful security measure to prevent attacks. However, if WPAD is necessary, you can enable it with simple adjustments to the GlobalQueryBlockList. Always follow best practices to secure your network and minimize risks.

With these steps, you should be able to enable and safely use WPAD in your environment.

If you have questions or need further assistance, feel free to reach out to alfatier. And if you found this guide helpful, share it with someone who might benefit from it too!