The Web Proxy Auto-Discovery Protocol (WPAD) is commonly used to distribute proxy settings automatically in enterprise networks. However, if you’ve tried to set up a wpad DNS record on Windows Server, you may have noticed it doesn’t work by default.
Why is the ‘wpad’ Record Disabled by Default?
Microsoft disables the wpad name resolution as a security measure. The primary risk is WPAD spoofing attacks, where an attacker registers a malicious WPAD server to intercept traffic and extract sensitive information like usernames, passwords, or confidential data.
How to Enable WPAD
Follow these steps to enable WPAD on your Windows Server DNS:
Step 1: Check the GlobalQueryBlockList
First, view the current block list:
dnscmd /info /GlobalQueryBlockListYou’ll likely see output like:
Global Query Block List:
wpad
isatapStep 2: Remove ‘wpad’ from the Block List
To remove wpad from the block list while keeping isatap blocked:
dnscmd /config /GlobalQueryBlockList isatapThen restart the DNS service:
Restart-Service DNSStep 3: Create the WPAD DNS Record
In DNS Manager:
- Open your forward lookup zone
- Create a new A record
- Name:
wpad - IP Address: Your web server hosting the wpad.dat file
Step 4: Host the WPAD File
Create and host a wpad.dat file in the root directory of your web server. It should be accessible at:
http://wpad.yourdomain.local/wpad.datSecurity Considerations
If you decide to enable WPAD, follow these best practices:
- Only enable in trusted networks – Don’t enable WPAD on networks with untrusted devices
- Serve WPAD over HTTPS – If possible, configure HTTPS for the WPAD file
- Use DNSSEC – Implement DNSSEC to protect against DNS spoofing
- Limit to internal networks – Never expose WPAD to the internet
Conclusion
Blocking the wpad DNS record is a thoughtful security measure by Microsoft. If you need WPAD functionality, you can easily enable it—just make sure to follow security best practices to protect your network.