What's new

Noob Question: How can I trace which process/whatever is making an specific DNS request?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Deepshark

New Around Here
Hello,

I recently got some time and money to start my journey with an Asus with Merlinwrt in it and started exploring choices to replace my DNS. I was checking many options but finally, as a test, I decided to go with NextDNS as it was quick and easy.
Until then... all was ok.

Until I checked NextDNS's logs and found that there was an A call to a domain from my computer belonging to my company. This is a personal computer where I was basically forced to install a VPN software from my company at the beginning of the pandemic. I never liked the idea but doing some tests I saw in practice it only seems to en-route through the company's intranet. Even so, since I really don't trust the IT guys I shut down the service most of the time and disable the local network and have the app terminated, of course.
I thought I was ok but... doesn't seem so. My PC is making calls to the wpad. address of two domains from my company and I don't like this at all.
I don't have the expertise of why this is happening nor what does it implies but I am feeling deeply uncomfortable since I discovered it.

For now I have blocked these calls and did some overall cleaning and checking of the system but didn't get to remove the calls, my only option being removing the vpn software, but since I need to use it for work that is not an option. Said so, I don't even know if this is the process making the calls.
I need to know.
I need to know what process is calling that domain and am... defenseless. I tried to use Wireshark and other software but am too much of a noob to take out anything from it.

Can anybody please guide me how to get the info am looking for?
Treat me like a granny learning to send an e-mail, please, am truly a noob when it comes to packet tracing and all that.
 
Is this your own personal PC that you've installed the VPN client on or a PC supplied by the company?

The wpad query comes from your web browser looking for a company proxy server. Go to Control Panel > Internet options > Connections > LAN settings > Automatically detect settings.

What version of Windows are you using?
 
Last edited:
My own personal PC, that's why am not happy with this at all... I expect stuff to go on in a company PC but not on my own, specially when our VPN is specifically used for remote desktop use.
Am using Win 10 21H1 and checked Automatically detect settings... will check if the DNS request keeps happening. Thanks
 
I can confirm that after checking it (it was unchecked, I think I unchecked through the modern control panel the day before) the calls are still happening.
No proxy settings in Firefox, changed the options in Edge too... mh
 
I can confirm that after checking it ...
"Automatically detect settings" needs to be unchecked to stop the wpad queries.

Regardless of that setting the wpad query should never be reaching NextDNS. So that would indicate that your DNS setup is incorrect.

From the Windows command prompt what is the complete output of this command: ipconfig /all

On the router make sure WAN > Internet Connection > Forward local domain queries to upstream DNS is set to No.

Also check that you have a sensible name set at LAN > LAN IP > Domain Name.
 
Mh... I have found something that was not here before.

'Windows IP Configuration', with the two company wpad domains set as DNS.
I found that in the advanced configuration of my ethernet I had these two domains as appended DNS suffixes.

Not sure what to take out of this but... removing it right away. Will need to check next time I work if these DNS suffixes got added again
Thanks!
 
Similar threads
Thread starter Title Forum Replies Date
L question on netstat (suspicious) results from router. General Network Security 5

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top