[dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure

Rickard Dahlstrand rickard.dahlstrand at iis.se
Tue Dec 4 06:23:01 UTC 2007

Gadi Evron wrote:
> http://www.microsoft.com/technet/security/advisory/945713.mspx
> A malicious user could host a WPAD server, potentially establishing it as 
> a proxy server to conduct man-in-the-middle attacks against customers 
> whose domains are registered as a subdomain to a second-level domain 
> (SLD). For customers with a primary DNS suffix configured, the DNS 
> resolver in Windows will attempt to resolve an unqualified .wpad. hostname 
> using each sub-domain in the DNS suffix until a second-level domain is 
> reached. For example, if the DNS suffix is corp.contoso.co.us and an 
> attempt is made to resolve an unqualified hostname of wpad, the DNS 
> resolver will try wpad.corp.contoso.co.us. If that is not found, it will 
> try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not 
> found, it will try to resolve wpad.co.us, which is outside of the 
> contoso.co.us domain.
Most of the wpad.tld domains are already reserved like this one
http://wpad.com/ It's amazing that when they fixed it for .com etc. a
while back they missed that there where two-level tld-domains.


More information about the dns-operations mailing list