-1

A company I am servicing has a Domain Controller Name called internal.example.com and whenever their employees go home, Apache is flooded by wpad.dat request. This flood of requests are redirected to 404, this overwhelms apache and it bogs down.

There is a wildcard DNS entry for *.example.com to be redirected to the main website.

These are the things I already did:

  1. Served a wpad.dat file in the root directory of their website. Apache stops bogging down when I started serving a static file.

  2. Added DNS entries for wpad.internal.example.com, internal.example.com, wpad.example.com to 127.0.0.1.

After adding the DNS and letting it propagate, I can still see requests on my log files.

I don't know what domain they are trying to access. The log file is referring to the main website instead of what they are trying to access.

Here are the applications that are requesting the wpad.dat file

  • WinHttp-Autoproxy-Service/5.1
  • Microsoft Office 2014
  • Kaspersky Proxy-Server detection agent
  • Mozilla/5.0

This thread is related Being flooded by wpad.dat but there is no conclusive answer how to fix or at least block requests.

EDIT: I don't know what subdomain they are trying to access and apache reporting it is coming from the main website. The entries I added to the DNS are intelligent guesses, I don't have concrete proof on what they are accessing.

Community
  • 1
almar.io
  • 3
  • 4
  • Did you removed "Automatically detect settings" in the browser and be sure no DHCP option 252 exist. – yagmoth555 Oct 12 '16 at 14:03
  • If you don't know what hostnames are involved, start by figuring that out, if you want to stop it on the apache server. But I'd recommend that you turn off the valve at the start of the chain, by fixing whatever global policies are set to make clients try to download this file. – Jenny D Oct 12 '16 at 14:38

2 Answers2

1

Instead of setting up a DNS record pointing to 127.0.0.1, you should set up one that will be considered unresolvable. The easiest way to do that is to set up a TXT record for wpad.example.com, like this:

;name  ttl  class   rr     text
wpad        IN      TXT    "Located in a black hole"

This way, wpad.example.com will never resolve to any IP adress and the clients will not even try to download something.

Note that any DNS lookups which have already been made may have been cached, so that clients will continue to use the cached results. This means that a DNS change will not immediately take affect with all clients, but you should see a tapering off.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • How would I know what subdomain the client is requesting? – almar.io Oct 12 '16 at 13:39
  • @almar.io The same way that you knew which hostnames to put in the /etc/hosts files you describe in your question? – Jenny D Oct 12 '16 at 13:40
  • I don't know what subdomain they are trying to access and apache is reporting that it is coming from the main website. The entries I added to the DNS are intelligent guesses, I don't have concrete proof on what they are accessing. – almar.io Oct 12 '16 at 13:42
  • That would have been good to know. Since you did mention specific hostnames in your post, I assumed that there was some actual evidence that those hostnames were involved. Sorry about that. – Jenny D Oct 12 '16 at 14:37
0

The best way to handle this is at a firewall and block the requests completely from ever hitting your web server, possibly using fail2ban or similar.

If this is not practical (for whatever reason), then catching it as early as possible on your web server server and redirecting it away before any disk I/O is done is the most efficient solution.

Here is the configuration I've used in the past to do this sort of thing. In this case I redirect the request to http://127.0.0.1/ via an external redirect which cause the users browser/script to either do nothing or make a request to itself.

RewriteEngine on
RewriteRule ^/wpad.dat$ http://127.0.0.1/ [R=301,L,E=nolog:1]

# Then if you wish to stop logging the requests
CustomLog logs/access_log combined env=!nolog

You should be able to customise this to your exact needs. But if youhave problems add a description to your question.

Unbeliever
  • 2,286
  • 1
  • 9
  • 17