WPAD Beware - MS09-008: Description of the security update for DNS server: March 10 2009
You might be aware that with the Windows Server 2008 DNS Server, that are there certain names that are blocked by default. These names are ISATAP and WPAD. Users of Windows Server 2003 DNS servers didn’t have to worry about this issue because there was no name blocking feature for these servers.
However, if you installed MS09-008, things have changed. However, you might not have noticed it. If you already have a WPAD entry in your Windows Server 2003 DNS server, it will not be blocked. But if you stand up a new Windows Server 2003 DNS Server, get it fully up to date, and then configure a WPAD entry, you might be surprised to find that your clients’ DNS query requests for WPAD will fail.
You can read more about MS09-008 at http://support.microsoft.com/kb/961063/
To fix the problem with WPAD name resolution, check out http://support.microsoft.com/kb/968732/en-us
An interesting response in the Q&A for this article:
Answer: No. If you have WPAD deployed in a network, and you already have the name WPAD registered in DNS, then it will not be blocked. However, if you have WPAD in the network and it uses DHCP to distribute the wpad.dat file with nothing in DNS, then the DNS query for WPAD will be blocked.
I guess what they’re trying to say here is that if you won’t have a DNS record for WPAD, then the DNS server will not answer queries for wpad 🙂
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer