What is WPAD?

WPAD stands for Windows Proxy Auto-Discovery. It is a protocol to obtain the URL for a PAC file.

WPAD uses the following methods in order to discover the PAC file URL:

  • DHCP
  • DNS
  • WINS
  • NetBIOS
  • Hosts
  • Lmhosts

The PAC file tells the host where to direct network traffic. This is usually used to force traffic through a web proxy.

Why is it insecure?

When DHCP or DNS is misconfigured or not configured, an attacker can provide the client with a PAC file that directs traffic to a compromised server.


There is no one-size fits all solution, but in general there are two cases:

  1. If a web filter with an alternative PAC delivery mechanism is installed or a web filter is not used:

    • Disable WPAD client side.
    • Sinkhole wpad.domain.com via DNS.
    • Enable DHCP Guarding and/or set DHCP option 252 to sinkhole WPAD requests.
    • Configure firewalls to block outbound requests for wpad.dat files.
  2. If a web filter is installed and configured to deliver PAC files:

    • Ensure DHCP option 252 is set to the correct value.
    • Enable DHCP Guarding to defend against rogue DHCP servers.
    • Ensure a DNS entry is created for wpad.domain.com, pointing to the server with a PAC file.