You hit the nail on the head--DNS tree climbing, or in the MS world,
"DNS Devolution", is bad.

There's a good description of DNS Devolution, including when and how and
why it occurs, in the Win2k documentation at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/prcc_tcp_dacz.mspx?mfr=true,
"TCP/IP in Windows 2000 Professional". The root cause is the "Append
parent suffixes of the primary DNS suffix" (ie, DNS Devolution) option
shown in figure 22.7.

Following the flow charts, devolution is figure 22.6, which only occurs
for unqualified single-label queries when no DNS suffix search list is
configured. The client first tries the fully qualified name
(wpad.aaa.bbb.contoso.com.) for _all_ connection-specific names on _all_
adapters before "devolving" up the DNS tree. (Keep in mind that most
windows VPN clients create a virtual connection, so all private DNS
requests on a VPN that are unanswered within 1 sec get leaked out the
public interface...and probably often end up as garbage
"wpad.contoso.local" type queries at the roots.)

WPAD is one specific example of a more general case, I wonder if Win2k
service discovery or .inaddr.arpa lookups are similarly affected.

I remember hearing about the person who used to own wpad.co.nz . Most of
the time they kept it offline due to the huge amount of traffic it
attracted

I should check the DNS logs at work to see how many queries it gets these
days.

http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx
-----
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is
configured to use WPAD. It starts the search by adding the hostname "WPAD"
to current fully-qualified domain name. For instance, a client in
a.b.Microsoft.com would search for a WPAD server at
wpad.a.b.microsoft.com. If it could not locate one, it would remove the
bottom-most domain and try again; for instance, it would try
wpad.b.microsoft.com next. IE 5 would stop searching when it found a WPAD
server or reached the third-level domain, wpad.microsoft.com.
The algorithm stops at the third level in order to not search outside of
the current network. However, for international sites, this is not
sufficient, because third-level domains can be outside the current
network. For example, if the network at xyz.com.au did not have a WPAD
server, the search algorithm eventually would reach wpad.com.au, which is
an external network name. If the owner of wpad.com.au set up a WPAD
server, he or she could provide chosen proxy server configuration settings
to the clients at xyz.com.au. For that matter, any network in com.au that
didn't have its own WPAD server but did have WPAD enabled in its web
clients also would also resolve to wpad.com.au.
-----
It is quite possible, and we can assume (until someone tells us they
know), that they fixed it for ccTLDs as well, and then re-introduced the
flaw somehow.

Also:
http://www.wlug.org.nz/WPAD
-----
(BeauButler?: I have registered wpad.co.nz, and do not intend to be
'really nasty'. I am collecting the 404 logs with the intention to produce
some nice charts, hoever. Also, the wpad organisational-boundaries bug
appears to have resurfaced in Internet Explorer 7!!)
-----
Beau Bulter is the guy who got all the press by talking about this at
kiwicon last week:
https://kiwicon.org/presentations#oddy

This is the story that got Microsoft's attention:
http://www.theage.com.au/news/technology/flaw-leaves-microsoft-looking-like-a-turkey/2007/11/23/1195975914416.html
Which is where Beau says there are ~160,000 exploitable machines in NZ
alone. He would *supposedly* know since he has the wpad.co.nz domain.

Whether it is a major issue or not, misconfigurations happens, heck, shit
happens. I'd think we should watch for this and get that domain
registered/monitored at different ccTLDs.

Gadi.

I wouldnt say that they fixed it for .com, or probably ever will.
I'm the lucky holder of wpad.{com,net,org,biz,us}. You can see the
number of 404's that I've served over the years at
Loading Image...

DW