Pi hole flooded with queries to wpad and isatap - Ubiquiti

emselino · November 21, 2017, 10:33am

Expected Behaviour:

No flooding/excessive requests to wpad.lan.mydomain.io and isatap.lan.mydomain.io and others

Actual Behaviour:

wpad.lan.mydomain.io 20679
mini.lan.mydomain.io 12437
isatap.lan.mydomain.io 11383
lan.mydomain.io 2430
USSWVHPSS646.lan.mydomain.io 1728
USSWVHPSS643.lan.mydomain.io 948
jpadslrhwnw.lan.mydomain.io 690
USSWVHPSS645.lan.mydomain.io 508

These requests are bashing in to my pi hole since I've changed my router to the USG by Ubiquiti. It makes about 20-30 requests a second, which makes dns resolving a pain for legitimate clients. How can I turn that behaviour off?

Any help?

Debug Token:

x0720go5ge

Tntdruid · November 21, 2017, 12:52pm

Are you using Samba?

Mcat12 · November 21, 2017, 8:06pm

Where are the queries coming from? If it's not the Pi-hole, then it's probably not a Pi-hole issue.

jpgpi250 · November 22, 2017, 9:27am

I noticed the wpad (unresolved) dns requests a long time a go. They are coming from windows 10 and I haven't found a way to stop windows making these requests.
I also noticed a macbook making unresolvable requests in a similar way.

My resolution to decrease the number of wpad requests and make them resolvable:

I'm using pfsense (v2.4.2) as a firewall / access point o the internet, so I don't think this has to do with the router type. My pfsense local domain is localdomain

method to enable local LAN resolution:
Create a local dns (hosts) file. I've called it localdns.list and placed it in /etc
Ensure there is an entry for your pihole, example:

192.168.168.1 raspberry.localdomain wpad.localdomain raspberry wpad
192.168.168.2 pfsense.localdomain pfsense
192.168.168.3 windows10.localdomain windows10
192.168.168.4 macbook.localdomain macbook
192.168.168.5 ps3.localdomain ps3

Enable local LAN name resolution:
Create a new dnsmasq configuration file. I've called it 06-localdns.conf, it needs to go in /etc/dnsmasq.d
Restart dnsmasq (sudo service dsnmasq restart)
Example:

domain=localdomain
expand-hosts
local=/localdomain/
addn-hosts=/etc/localdns.list

Create the wpad response file.
Create (on your pihole machine) a file wpad.dat in /var/www/html

function FindProxyForURL(url, host)
{
return "DIRECT";
}

This configuration assumes you haven't got a proxy server, i.e. direct internet access.

Whenever a machine is now requesting wpad information, the dns entry points to your pihole, the request is answered with the correct (pihole) address, the proxy configuration file (minimal size) is retrieved by the requesting machine.
Works for me...

frakker84 · July 12, 2018, 6:53pm

I try your solution but it doesn't work, wpad requests are still present.
The only way to stop these requests is insert wpad.localdomain in hosts file on windows machines.

jpgpi250 · July 13, 2018, 10:42am

The idea behind the solution is NOT to eliminate the requests, that can only be done by modifying the local host (=windows 10) hosts file, as you did.

The idea and solution is to eliminate the timeout, by providing an answer to the DNS request, and to provide a single solution for all (multiple) clients with a single persistent configuration.

If everything is configured, as I proposed, you should see the reply from the webserver (lighttpd - the pihole webserver) in /var/log/lighttpd/access.log, something like:

1531025760|wpad.localdomain|GET /wpad.dat HTTP/1.1|200|56

200 means successful retrieval of the file.

Tntdruid · July 13, 2018, 2:39pm

I did it whit pihole -a hostrecord wpad.mydomain.tld 10.10.1.2

no need to make the 06-localdns.conf

Bucking_Horn · May 1, 2021, 2:36pm

2 posts were split to a new topic: How to disable WPAD in Win10?

Davva23 · August 30, 2021, 3:31pm

This article suggests that it's a good idea to disable WPAD