Serve wpad.dat with Pihole v6

On pihole 5 I could easily make http://wpad/wpad.dat available by adding an additional site to the same lighttpd server pihole used to serve its web interface.

Is it possible to do the same thing on pihole 6?

Since the new pihole 6 webserver will be listening on port 80, Im not sure i can use lighttpd running on the same machine as Web Proxy Auto-Discovery Protocol (WPAD) requests will come on port 80. And I'd prefer to have pihole's ui available on port 80 too!

Has anyone else solved this? I really want to avoid building a separate web server just for wpad! This is making me hesitant to upgrade from Pihole 5 on DietPi on my RPi3.

Are you aware of the attack vectors with WPAD? It's a pretty vulnerable protocol.

That's exactly why i serve my own WPAD file! The clients will request it anyway - Windows clients still do it. You can only disable it on your own devices (via registry or GPO) - not those that visit your network.

The fix is to serve a PAC file at http://wpad/wpad.dat - something I can do with the DNS server in Pihole 5. That fixes the vulnerability for everyone while on the network.

This would work given that you are forcing DNSSEC validation. If you are not forcing DNSSEC, the DNS reply can be spoofed and you are back to square one.

Even with DNSSEC, you can fall victim to an ARP poisoning and still have this vulnerability. The only real way to solve this is to stop clients from using WPAD entirely.

Are you managing an enterprise environment via GPO?

At work I am managing clients, but you rarely have control of every client on your network. At work we have the resources to solve this problem.

At home where I am running Pihole I just serve the wpad.dat to stop all the clients requesting it repeatedly and close off that risk. I leave the ARP poisoning attacks as a challenge for my kids to figure out.

If you are enforcing DNSSEC, your best bet is to actually block or CNAME wpad.domain.name rather than serving a fake wpad.dat

Say I did want to configure proxy using wpad.dat or serve a web page, could I do that from the pihole 6 web server?

It seems that it is no longer possible, as application/x-ns-proxy-autoconfig is not one of the MIME types included by default in civetweb.

If the wpad.dat file in /var/www/html and you set up a CNAME to point wpad to your pihole it will be served. However the MIME type will not be right and the file will be ignored.

When civetweb is run as a standalone web server it is possible to specify additional MIME types, but as it is incorporated within FTL I don't believe it is possible to specify these manually.

If you are really keen (as in compile your own FTL keen), you could add

{".dat", 4, "application/x-ns-proxy-autoconfig"},

to the function at FTL/src/webserver/civetweb/civetweb.c at b7eb53bf32ab76546db87c6db6d7085526788d67 · pi-hole/FTL · GitHub

I upgraded to Pihole 6 this morning following the instructions at the DietPi site (which is my host OS), but I opted to keep the lighttpd server in place.

This has allowed me to continue serving http://wpad from the same server - lighttpd serves the wpad file, and Pihole's built in web server serves the PiHole admin site at port 8089.

I also added mod_proxy to lighttpd which allowed me to deliver the pihole admin site via port 80 as follows:

In /etc/lighttpd.conf added mod_proxy to the server.modules directive.

and added the following:

$HTTP["host"] == "pi.hole" {
        proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "8089" )))
}
$HTTP["host"] == "pihole.home.arpa" {
        proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "8089" )))
}

Second one is what my pihole is normally called on my network. I don't need to remember the port anymore.

I'm not serving a fake wpad.dat. I am serving a wpad.dat that says not to use any proxy:

function FindProxyForURL(url, host) {
        return "DIRECT";
}

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.