[dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure

Gadi Evron ge at linuxbox.org
Mon Dec 3 23:43:07 UTC 2007


A malicious user could host a WPAD server, potentially establishing it as 
a proxy server to conduct man-in-the-middle attacks against customers 
whose domains are registered as a subdomain to a second-level domain 
(SLD). For customers with a primary DNS suffix configured, the DNS 
resolver in Windows will attempt to resolve an unqualified .wpad. hostname 
using each sub-domain in the DNS suffix until a second-level domain is 
reached. For example, if the DNS suffix is corp.contoso.co.us and an 
attempt is made to resolve an unqualified hostname of wpad, the DNS 
resolver will try wpad.corp.contoso.co.us. If that is not found, it will 
try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not 
found, it will try to resolve wpad.co.us, which is outside of the 
contoso.co.us domain.

More information about the dns-operations mailing list