Leaked DNS Query Detection - WPAD Proxy Request
Medium Nessus Network Monitor Plugin ID 7202
SynopsisAn internal proxy discovery request has been leaked to the public realm.
DescriptionWPAD, or Web Proxy Auto-Discovery is a feature which enables some browsers to determine their web proxy settings automatically. WPAD requests are sent out through DNS and Netbios, relying on a locally configured WPAD server within the same network to provide proxy server information when requested. Through an error in DNS configuration, the remote host has sent a WPAD request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve up false WPAD information, routing all web traffic through a proxy server of their control, allowing them to eavesdrop the connection.
SolutionDisable WPAD requests or ensure firewall settings are configured to drop any outbound 'WPAD' DNS lookups.