WPAD via DNS and ISA Server (or TMG, for that matter)

Just a reminder that WPAD is a special blocked keyword after recent DNS Server security updates.

This prevents sites with an unconfigured WPAD entry from allowing devolution beyond their own level. The symptom you see most often might be that when you first configure a WPAD entry, Internet Explorer (or other browsers using WPAD) might pause for a long time before failing to use the proxy (if exclusively configured for Auto Detection).

To allow WPAD via DNS to function properly, check out the instructions for removing WPAD from the DNS block list:

https://support.microsoft.com/kb/968732

https://technet.microsoft.com/en-us/library/cc995158.aspx 

The block list is populated when the update is installed – if you don’t already have a WPAD entry at that point, WPAD will be added to the block list, and just creating the entry won’t fix it without it being unblocked as well.

If you think DNS-based WPAD isn’t working, you can still use Option 252 in DHCP instead (which is really quite cool, as it allows you to point at any arbitrary URL and script file, not just https://wpad/WPAD.DAT), with IE set for auto configuration (or autoconfiguration, or “Automatically Detect Settings” for search engine friendliness).