Proxy hijacking via auto-proxy (WPAD) vulnerability

I was recently reviewing some wireshark logs and noticed that my computer was making a few dns queries to an ex-employer's domain pretty often.  

It turns out the culprit was a feature called WPAD (Windows Proxy Auto Detection).  There's a good write-up about what I'm about to say here: 
http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/

However, I've got some wireshark logs to show you exactly what happens here.

WPAD uses a key stored in the registry to find a list of previously detected proxies and then it sends a DNS query to each to see if they are available.  The previously used proxies are stored in global TCP settings within the registry and apply to every TCP connection.

Example of auto proxy detection enabled:

As soon as this is checked and OK button is clicked, wireshark shows the connections to wpad.{previous proxy address}.{tld}.  These addresses are s tored here in the registry:

 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\ in the SearchList REG_SZ  key

 Above I have modified this key to be "blah.com" and below you can see the call out to wpad.blah.com:

Using packet capturing technologies on a shared network, such as hotel wifi, will reveal DNS queries to wpad.{previous proxy addresses}.{tld}.  Then you "simply" pretend to be that address using  DNS rebinding.

 DNS Rebinding How To:
https://www.youtube.com/watch?v=0duYxPIx8gU