diff --git a/CHANGELOG b/CHANGELOG
index 9013977..f526acb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -64,6 +64,10 @@ version 2.80
 	now always forward, and never answer from the cache. This
 	allows "dig +trace" command to work. 
 	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
 	
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 008ddb7..bf19424 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -672,3 +672,8 @@
 
 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore