Web Proxy Auto-Discovery Protocol

Last updated August 25, 2023

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

History

The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the proxy auto-config format originally designed by Netscape in 1996 for Netscape Navigator 2.0.^[1] The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation, RealNetworks, Inc., and Sun Microsystems, Inc. (now Oracle Corp.). WPAD is documented in an INTERNET-DRAFT which expired in December 1999.^[2] However, WPAD is still supported by all major browsers.^[3]^[4] WPAD was first included with Internet Explorer 5.0.

Context

In order for all browsers in an organization to be supplied the same proxy policy, without configuring each browser manually, both the below technologies are required:

Proxy auto-config (PAC) standard: create and publish one central proxy configuration file. Details are discussed in a separate article.
Web Proxy Auto-Discovery Protocol (WPAD) standard: ensure that an organization's browsers will find this file without manual configuration. This is the topic of this article.

The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS):

Before fetching its first page, a web browser implementing this method sends a DHCPINFORM query to the local DHCP server, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:

http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)

(Note: These are examples and are not "live" URLs due to them employing the reserved domain name of "example.com".)

Additionally on Windows if the DNS query is unsuccessful then Link-Local Multicast Name Resolution (LLMNR) and/or NetBIOS will be used.^[5]^[6]

Notes

DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed. This only works with DHCPv4. In DHCPv6, there is no WPAD-Option defined.
Notice that Firefox does not support DHCP, only DNS, and the same is true for Chrome on platforms other than Windows and ChromeOS, and for versions of Chrome older than version 13.^[3]^[4]

When constructing the query packet, DNS lookup removes the first part of the domain name (the client host name) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.

The browser guesses where the organisation boundaries are. The guess is often right for domains like 'company.com' or 'university.edu', but wrong for 'company.co.uk' (see security below).

For DNS lookups, the path of the configuration file is always wpad.dat. For the DHCP protocol, any URL is usable. For traditional reasons, PAC files are often called proxy.pac (of course, files with this name will be ignored by the WPAD DNS search).

The MIME type of the configuration file must be "application/x-ns-proxy-autoconfig". See Proxy auto-config for more details.

Internet Explorer and Konqueror are currently the only browsers offering support for both the DHCP and DNS methods; the DNS method is supported by most major browsers.^[7]

Requirements

In order for WPAD to work, a few requirements have to be met:

In order to use DHCP, the server must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of e.g. http://example.com/wpad.dat where "example.com" is the address of a Web server.
In order to use the DNS only method, a DNS entry is needed for a host named WPAD.
The host at the WPAD address must be able to serve a Web page.
In both cases, the Web server must be configured to serve the WPAD file with a MIME type of application/x-ns-proxy-autoconfig.
If the DNS method is used, a file named wpad.dat must be located in the WPAD Web site's root directory.
The PAC files are discussed in the Proxy auto-config article.
Use caution when configuring a WPAD server in a virtual hosting environment. When automatic proxy detection is used, WinHTTP and WinINET in Internet Explorer 6 and earlier send a "Host: <IP address>" header and IE7+ and Firefox sends a "Host: wpad" header. Therefore, it is recommended that the wpad.dat file be hosted under the default virtual host rather than its own.
Internet Explorer version 6.0.2900.2180.xpsp_sp2_rtm requests "wpad.da" instead of "wpad.dat" from the Web server.
If Windows Server 2003 (or later) is used as the DNS server, the DNS Server Global Query Block List may have to be disabled, or the registry can be modified to edit the list of blocked queries.^[8]^[9]

Security

While greatly simplifying configuration of one organisation's web browsers, the WPAD protocol has to be used with care: simple mistakes can open doors for attackers to change what appears on a user's browser:

An attacker inside a network can set up a DHCP server that hands out the URL of a malicious PAC script.
If the network is 'company.co.uk' and the file http://wpad.company.co.uk/wpad.dat isn't served, the browsers will go on to request http://wpad.co.uk/wpad.dat. Before the introduction of the Public Suffix List in the 2010s, some browsers could not determine that wpad.co.uk was no longer inside the organization.
The same method has been used with http://wpad.org.uk. This used to serve a wpad.dat file that would redirect all of the user's traffic to an internet auction site.
ISPs that have implemented DNS hijacking can break the DNS lookup of the WPAD protocol by directing users to a host that is not a proxy server.
Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.^[10]

Through the WPAD file, the attacker can point users' browsers to their own proxies and intercept and modify the WWW traffic of everyone connected to the network. Although a simplistic fix for Windows WPAD handling was applied in 2005, it only fixed the problem for the .com domain. A presentation at Kiwicon showed that the rest of the world was still critically vulnerable to this security hole, with a sample domain registered in New Zealand for testing purposes receiving proxy requests from all over the country at the rate of several a second. Several of the wpad.tld domain names (including COM, NET, ORG, and US) now point to the client loopback address to help protect against this vulnerability, though some names are still registered (wpad.co.uk).

Thus, an administrator should make sure that a user can trust all the DHCP servers in an organisation and that all possible wpad domains for the organisation are under control. Furthermore, if there's no wpad domain configured for an organisation, a user will go to whatever external location has the next wpad site in the domain hierarchy and use that for its configuration. This allows whoever registers the wpad subdomain in a particular country to perform a man-in-the-middle attack on large portions of that country's internet traffic by setting themselves as a proxy for all traffic or sites of interest.

On top of these traps, the WPAD method fetches a JavaScript file and executes it on all users browsers, even when they have disabled JavaScript for viewing web pages.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services. UPnP is intended primarily for residential networks without enterprise-class devices.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

In computer networking, a network service is an application running at the network application layer and above, that provides data storage, manipulation, presentation, communication or other capability which is often implemented using a client–server or peer-to-peer architecture based on application layer network protocols.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.

The domain name .local is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet. As such it is similar to the other special domain names, such as .localhost. However, .local has since been designated for use in link-local networking, in applications of multicast DNS (mDNS) and zero-configuration networking (zeroconf) so that DNS service may be established without local installations of conventional DNS infrastructure on local area networks.

The Dynamic Host Configuration Protocol version 6 (DHCPv6) is a network protocol for configuring Internet Protocol version 6 (IPv6) hosts with IP addresses, IP prefixes, default route, local segment MTU, and other configuration data required to operate in an IPv6 network. It is not just the IPv6 equivalent of the Dynamic Host Configuration Protocol for IPv4.

dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server, router advertisement and network boot features, intended for small computer networks.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Internet censorship circumvention, also referred to as going over the wall or scientific browsing in China, is the use of various methods and tools to bypass internet censorship.

A search domain is a domain used as part of a domain search list. The search list, as well as the local domain name, is used by a resolver to create a fully qualified domain name (FQDN) from a relative name. For this purpose, the local domain name functions as a single-item search list.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

References

↑ "Navigator Proxy Auto-Config File Format". Netscape Navigator Documentation. March 1996. Archived from the original on 2007-03-07. Retrieved 2015-02-10.
↑ Gauthier, Paul; Josh Cohen; Martin Dunsmuir; Charles Perkins (1999-07-28). "Web Proxy Auto-Discovery Protocol (INTERNET-DRAFT)". IETF . Retrieved 2015-02-10.
1 2 "Chromium #18575: Non-Windows platforms: WPAD (proxy autodetect discovery) does not test DHCP". 2009-08-05. Retrieved 2015-02-10.
1 2 "Firefox #356831 - Proxy autodiscovery doesn't check DHCP (option 252)". 2006-10-16. Retrieved 2015-02-10.
↑ "Troubleshooting Web Proxy Auto Discovery (WPAD) issues". GFI Software. Archived from the original on 2021-04-14. Retrieved 2015-02-10.
↑ Hjelmvik, Erik (2012-07-17). "WPAD Man in the Middle" . Retrieved 2015-02-10.
↑ "Konqueror: Automatic Proxy Discovery". KDE . 2013-05-20. Archived from the original on 2015-02-11. Retrieved 2015-02-10.
↑ King, Michael (2010-02-17). "WPAD does not resolve in DNS" . Retrieved 2015-02-10.
↑ "Removing WPAD from DNS block list". Microsoft TechNet . 26 September 2008. Retrieved 2015-02-10.
↑ "Alert (TA16-144A) WPAD Name Collision Vulnerability". US-CERT . 2016-10-06. Retrieved 2017-05-02.