FYI: Strange WPAD behavior with Windows 10
-
Hi.
I just wanted to note that we observed a really strange behavior with WPAD and Windows 10 1709/16299.192. Maybe it is of interest for somebody…
We are running our own proxy servers and use our internal WPAD (apache-based) server, no pfSense proxy (not yet)
While setting up proxy things on pfSense we observed the following on two Windows 10 machines and another newly installed Windows 10 client.To test the proxy on pfSense we manually configured the proxy in Windows 10 to be the pfSense machine. We disabled "automatic proxy" and enabled manual settings and put all IPs and ports into the dialog. After some time we see that the manual settings are deleted (empty) and the box for manual settings is disabled again. The "automatic proxy" setting is disabled, too, but the "automatic settings" are active again.
Using netmon we found out that an unknown process in Windows 10 queries the DNS server for wpad. After this process found the DNS record it gets the WPAD data and sets this data. On the newly installed machine we saw that this happens once you have ticked the "automatic" box, not before. Maybe there is a Windows 10 setting deep in the registry that is not properly handled/set/reset by Windows (or whatever).
Cheers!
demux. -
Are you sure that this isn't a domain policy being pushed down to the clients?
-
Absolutely sure. We don't use policies or any other sorts of enforcements. We tried to build our network around KISS.
I took a look at the trace I saved:
The process querying for the WPAD data got no name (is called "unavailable"), but the "GET /wpad.dat" packet says: "User-Agent: WinHttp-Autoproxy-Service/5.1". So I believe it is a std Windows process.
If you never set up proxy settings to be automatic, it does not query for wpad.dat (at least not within the first 2-3 hours after initial Win10 install - I did not wait any longer). It starts doing this after the first time you set up the proxy settings to be automatic. Windows initially gets the wpad.dat and then the proxy answers "304 Not Modified" for the following queries. And after each of these following queries for wpad.dat, "manual settings" are unchecked, "automatic settings" are unchecked, but wpad.dat settings are active again. And any data entered into the manual fields are cleared.
It may take 10 minutes or it may take 60 minutes for the following "GET /wpad.dat" to be sent. For me it looked like "out of a sudden someone asks for wpad.dat and resets my settings". At first I thought it would be time to do something else because I can't concentrate anymore…
The clean install of Windows 10 does not even have any AV software, which often does some sort of proxy stuff.
Maybe it has to do with a specific Windows version after lots of OS updates that come in after install. I have no clue...
I just wanted to let others know, because this drove me crazy. Maybe it's gone again with next Windows updates.