- Bohack - https://www.bohack.com -

Windows Server 2008 R2 Breaks WPAD

I had just completed a successful upgrade of my domain controllers at work to Windows Server 2008 R2. After the upgrade we found that anyone that used the proxy and relied in automatic settings could no longer receive the proxy address. This is in “Automatically detect settings” in the “LAN settings” of Internet Explorer options.

After some research I found a TechNet Article http://technet.microsoft.com/en-us/library/cc794902%28WS.10%29.aspx that explained the motivation behind this. Basically when Internet Explorer starts up, it starts with the default of “Automatically detect settings” checked in the “Local Area Network (LAN) Settings” dialog box in Internet Explorer Options. So every time it starts it queries for wpad.FQDN and if it resolves it then grabs the wpad.dat. When your client boots up and the DHCP will configure option 15 for the domain name it appends this to the wpad. An example: if you machine boots up and retrieves option 15 as contoso.com. Then IE will try to retrieve http://wpad.contoso.com/wpad.dat.

Now let me explain why: Microsoft uses dynamic updates in DNS. Since most people do not use wpad entries; it introduces an attack vector. A malicious user would name their client “wpad” and serve a wpad.dat file from the host of their web server. When their client boots up it will try to register itself as “wpad.contoso.com” and now potentially all of your clients are proxy-ed thru a malicious host.

Microsoft closed the hole by automatically denying resolution of wpad.FQDN entries in the “Global Query Block List”. Which regardless of which zones you host on Microsoft DNS servers it will deny resolution of the wpad.

To fix this you will need to run the commands below against each of your DNS servers:

To see the “Global Query Block List”

dnscmd [<ServerName>] /info /globalqueryblocklist

example:
dnscmd 192.168.1.1 /info /globalqueryblocklist

To fix the problem in the “Global Query Block List”

dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]

example:
dnscmd 192.168.1.1 /config /globalqueryblocklist isatap