Weird wpad DNS queries, anyone seen this?

Question

I noticed that one computer (Windows 10) on our company network does some strange looking queries to our (internal) DNS server (dns.company.com).

I see the wpad-query every minute, and then every 10min or so a bunch or weird hostnames show up.

I searched for "wpad"... Web-Proxy Auto Discovery... I turned that Off in settings->network/internet->proxy on that computer.

Now the wpad entries are less, but still occur. Every 10min or so I still see these weird looking hostnames.

All these hostnames are the name of our DNS server, with something prepended to them. Does anyone know what this could be?

We don't have any Windows Server/controller here. DHCP and routing is Linux, and DNS too (dnsmasq).

(the AV scan came up empty...)

Feb 17 12:57:16 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:40 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:40 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] tauidkyonnprqc.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] ukvdexscffer.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] gspmcswgglvski.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] gspmcswgglvski.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] tauidkyonnprqc.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] ukvdexscffer.dns.company.com from 10.10.2.42
Feb 17 13:01:42 dns dnsmasq[18678]: query[A] tauidkyonnprqc.dns.company.com from 10.10.2.42
Feb 17 13:01:48 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:48 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:55 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42
Feb 17 13:01:55 dns dnsmasq[18678]: query[A] wpad.dns.company.com from 10.10.2.42

Answer 1

How does the DNS resolver setup look like on the client sending those queries? Is it part of multiple domains? Does it have a huge search list?

The way how the proxy settings are discovered is documented at https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol#Context

The reason why the queries just got less after you configured the browser may be that multiple browsers are installed which did not all get reconfigured by your action.

Answer 2

I can confirm exactly the same behavior on a Windows 10 machine with Chrome installed. I think there are two unrelated issues:

1. In my case the wpad DNS query was caused by the WinHttpAutoProxySvc service. In my machine I could not directly stop and disable this service. I had to modify a registry setting see: https://community.spiceworks.com/topic/2189290-disabling-winhttp-web-proxy-auto-discover-on-win10 and restart the machine.

HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc

"Start" DWORD

Value = 4 (Disabled)

2. If the random/weird DNS entries come in groups of 3 just after starting the Chrome browser then it is probably related to this: https://unix.stackexchange.com/questions/363512/chrome-dns-requests-with-random-dns-names-malware

If you type in a single-word search query, chrome needs to send a DNS request to check if this might be a single-word host name: For example, "test" might be a search for "test" or a navigation to "http://test". If the query ends up being a host, chrome shows an infobar that asks "did you mean to go to 'test' instead". For performance reasons, the DNS query needs to be asynchronous.

Now some ISPs started showing ads for non-existent domain names ( http://en.wikipedia.org/wiki/DNS_hijacking ), meaning Chrome would always show that infobar for every single-word query. Since this is annoying, chrome now sends three random DNS requests at startup, and if they all resolve (to the same IP, I think), it now knows not to show the "did you mean" infobar for single-word queries that resolve to that IP.

I hope this helps.