Weird wpad DNS queries, anyone seen this?

windows internal-dns wpad

Solution 1:

How does the DNS resolver setup look like on the client sending those queries? Is it part of multiple domains? Does it have a huge search list?

The way how the proxy settings are discovered is documented at https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol#Context

The reason why the queries just got less after you configured the browser may be that multiple browsers are installed which did not all get reconfigured by your action.

Solution 2:

I can confirm exactly the same behavior on a Windows 10 machine with Chrome installed. I think there are two unrelated issues:

  1. In my case the wpad DNS query was caused by the WinHttpAutoProxySvc service. In my machine I could not directly stop and disable this service. I had to modify a registry setting see: https://community.spiceworks.com/topic/2189290-disabling-winhttp-web-proxy-auto-discover-on-win10 and restart the machine.
HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc

"Start" DWORD

Value = 4 (Disabled)
  1. If the random/weird DNS entries come in groups of 3 just after starting the Chrome browser then it is probably related to this: https://unix.stackexchange.com/questions/363512/chrome-dns-requests-with-random-dns-names-malware

If you type in a single-word search query, chrome needs to send a DNS request to check if this might be a single-word host name: For example, "test" might be a search for "test" or a navigation to "http://test". If the query ends up being a host, chrome shows an infobar that asks "did you mean to go to 'test' instead". For performance reasons, the DNS query needs to be asynchronous.

Now some ISPs started showing ads for non-existent domain names ( http://en.wikipedia.org/wiki/DNS_hijacking ), meaning Chrome would always show that infobar for every single-word query. Since this is annoying, chrome now sends three random DNS requests at startup, and if they all resolve (to the same IP, I think), it now knows not to show the "did you mean" infobar for single-word queries that resolve to that IP.

I hope this helps.

Related

How to fix TLS v1.2 issues? (SSL Lab)
Is the network part of an IPv4 address unique? [closed]
Robocopy cannot find specific directory
Unable to access AWS EC2 Instance after move to new office
Cluster network name blank in SQL cluster node configuration (setup exit with “Error code 0x84C00001”)
Google Cloud disk multiple snapshot schedules
permission denied when using service account with Google scp command
Prove that $\frac{n^n}{3^n} < n! < \frac{n^n}{2^n} \forall n \geq 6 $
Smart way to solve octics like $x^8+5992704x-304129728=0$
Distance between a point and a closed set in metric space
A set is infinite iff it is equivalent to a proper subset of itself
Why $\frac{X+YZ}{\sqrt{1+Z^2}} \sim \mathcal{N}(0,1)$ if $X,Y,Z$ are i.i.d. $\mathcal{N}(0,1)$?