Microsoft KB Archive/934864

= How to configure Microsoft DNS and WINS to reserve WPAD registration =

Article ID: 934864

Article Last Modified on 12/3/2007

-

APPLIES TO

 Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86) Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86) Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86) Microsoft Windows Server 2003 R2 Standard x64 Edition Microsoft Windows Server 2003 R2 Enterprise x64 Edition Microsoft Windows Server 2003 R2 Datacenter x64 Edition Microsoft Windows Server 2003, Standard x64 Edition Microsoft Windows Server 2003, Enterprise x64 Edition</li> Microsoft Windows Server 2003, Datacenter x64 Edition</li> Microsoft Windows Server 2003 Service Pack 1, when used with: <ul> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul>

<ul> Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li></ul>

<ul> Microsoft Windows Server 2003, Web Edition</li></ul>

<ul> Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

<ul> Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul> </li> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li> Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li> Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li> Microsoft Windows Server 2003, Web Edition</li> Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li> Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li> Microsoft Windows Small Business Server 2003 Standard Edition</li> Microsoft Windows 2000 Service Pack 4, when used with: <ul> Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Advanced Server</li></ul>

<ul> <li>Microsoft Windows 2000 Server</li></ul> </li> <li>Microsoft Windows 2000 Professional Edition, when used with: <ul> <li>Microsoft Windows 2000 Professional Edition</li></ul> </li> <li>Microsoft Small Business Server 2000 Standard Edition</li></ul>

-

<div class="summary_section">

INTRODUCTION
Client software that is configured to use Web Proxy Automatic Discovery (WPAD) must be able to contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can use several methods to locate a host that contains a Wpad.dat file. Two of these methods require a WPAD entry to be registered in Domain Name System (DNS) or in Windows Internet Naming Service (WINS). Registering a WPAD entry in DNS or in WINS enables clients to resolve names of hosts that contain proxy automatic configuration files.

If an entity can surreptitiously register a WPAD entry in DNS or in WINS, and this entry resolves to a host with a malicious Wpad.dat file, WPAD clients may be able to route their Internet traffic through a malicious proxy server.

Network administrators who have not already registered legitimate WPAD entries in DNS or in WINS, and network administrators who have not correctly implemented WPAD through DHCP and Option 252, must reserve static WPAD DNS host names and WPAD WINS name records. By doing this, network administrators help prevent possible malicious registrations.

<div class="moreinformation_section">

MORE INFORMATION
To reserve static DNS host names and WINS name records for WPAD, and to reserve other names that you may want to block, follow these steps.

DNS
To register a reserved name host entry in DNS, you must register the host name without registering an IP address. Use either of the following methods, as appropriate for your situation.

Method 1: Use the DNS Management Console

 * 1) Open the DNS Management Console.
 * 2) Right-click the zone that corresponds to the appropriate search domain, and then click Other New Records.
 * 3) In the Select a resource record type list, select Text (TXT).
 * 4) Click Create Record.
 * 5) In New Resource Record, type the reserved name in the Record Name box.

For example, if you want to reserve the name &quot;WPAD,&quot; type WPAD in the Record Name box.
 * 1) Click OK to add the new record to the zone.
 * 2) Repeat steps 5 through 6 for all the other reserved names that you want to block.
 * 3) Repeat steps 1 through 7 for each search domain.

Method 2: Use commands at a command prompt
<ol> <li>Open a Command Prompt window.</li> <li>At a command prompt, type the following command, and then press ENTER:

 dnscmd  /RecordAdd ZoneName   TXT &quot;&quot; 

For example, if you want to reserve the name &quot;WPAD,&quot; type the following command: 

dnscmd  /RecordAdd ZoneName WPAD TXT &quot;&quot;

Notes <ul> <li>You may want to enter some reference text as the data of the TXT record, such as “KB934864.”</li> <li>If  is not specified, the local computer will be used.</li></ul> </li> <li>Repeat step 2 for all the other reserved names that you want to block.</li> <li>Repeat steps 1 through 3 for each search domain.</li></ol>

WINS
To register a reserved name record in WINS, you must register both the name and the qualified name. (A qualified name is a name that is followed by a period (.) character.) For example, to register the reserved &quot;WPAD&quot; name record in WINS, you must register both of the following names:
 * WPAD
 * WPAD.

When you register both the name and the qualified name, the following conditions are true:
 * All reserved name registrations are blocked.
 * WINS is prevented from replying to WINS clients that request reserved name record resolution.

WPAD example
Use the following procedure for the &quot;WPAD&quot; reserved name as a model, and complete the steps for the following items:
 * Every WINS server
 * Every reserved name, such as the &quot;WPAD&quot; reserved name
 * Any other names that you want to block


 * 1) Open the WINS Manager.
 * 2) Create a statically-assigned Internet group that is named &quot;WPAD&quot; with a single IP address of 0.0.0.0.
 * 3) Click Apply.
 * 4) Remove the address, and then click Apply. You now have a multi-record entry in WINS that has no records.
 * 5) Create a statically-assigned Internet group that is named &quot;WPAD.&quot; with a single IP address of 0.0.0.0.
 * 6) Click Apply.
 * 7) Remove the address, and then click Apply. You now have a multi-record entry in WINS that has no records.

Note These changes do not replicate. Therefore, you must repeat steps 1 through 7 on every WINS server that is in your organization.

Keywords: kbsecurity kbexpertiseinter kbhowto KB934864

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.