The dangers of WPAD and LLMNR – Protect your network

In my previous article I wrote a few words about the WPAD/LLMNR protocols and gave you an example of how to use wpad to set up an attack. Now, more importantly, here are a few tips on how to protect your network being vulnerable.

Tip #1 – Turn off WPAD on a stand-alone workgroup computer:

In Windows 10, simply un-tick this box, and most modern web browsers should replicate this setting into their browsers advanced settings. Double check settings in your browser to make sure it’s off.

Turn off Win 10 Default setting. Make sure to check that your browser is replicating this setting.

Tip #2 – Turn off WPAD in your enterprise domain using Group Policy:

User Configuration > Windows Components > Internet Explorer:
Disable changing Automatic Configuration settings: Enabled
Prevent changing proxy settings: Enabled

User Configuration > Preferences > Control Panel Settings > Internet Settings:
Right click and make a new rule for IE 10. Go to Connections, LAN settings and make sure “Automatically detect settings” is turned off.

Users WPAD settings after GPO rules.

Users will be unable to turn on WPAD. Note that this setting is replicating with Windows 10 proxy-setting, so all browsers should now be safe.

Tip #3 – Make a new entry in DNS for “wpad”:

To be even more bulletproof against any wpad poisoning attacks, you should add a new DNS entry for “wpad”. To make this work, note that Microsoft introduced a new feature called “Global Query Block List” in Windows Server 2008 and later.

This is a list of querys being blocked by the DNS server, introduced purely to prevent malicious clients from registering these names in the dynamic DNS. These names include “wpad” and “isatap”.

To remove “wpad” from the Global Query Block List, open regedit and go to:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > DNS > Parameters

In GlobalQueryBlockList, remove wpad entry:

GlobalQueryBlockList in Windows Server 2016

Restart your DNS server, and you should now be able to make a new A record in your DNS pointing to Make sure to set the loopback address, making any wpad requests from a browser pointing to its own local system and not others.

Also note, that if WPAD is enabled in a browser after specifying a wpad DNS entry, the browser will use a few seconds to look for the PAC file locally on that system before the request it’s being discarded and the user is forwarded to any websites.

Leave a Reply

Your email address will not be published. Required fields are marked *