Subject: WPAD/Auto-proxy discovery causing Dolphin/KIO freezes & desktop “hangs” on Tumbleweed — please consider safer defaults

English Applications
1

Hi all,

I’m running openSUSE Tumbleweed (KDE/Plasma) and I keep hitting a really nasty stability issue that appears related to WPAD / “auto proxy discovery” in KDE (KIO/Dolphin).

What happens

At random times (often during normal file browsing), Dolphin becomes unresponsive, and the whole desktop feels like it’s “freezing” (UI stalls, laggy input). It’s not a full kernel lockup, but the session becomes unstable until the proxy/WPAD path stops blocking.

This is especially reproducible when Dolphin touches anything network-related (e.g. network:/ in the side panel, SMB discovery, etc.), or even when it just initializes KIO services.

Strong suspicion: WPAD DNS + KIO blocking

In my diagnostics, the freeze correlates with attempts to fetch:

  • http://wpad/wpad.dat

When WPAD is enabled, I see failures like:

  • curl: (6) Could not resolve host: wpad

…and it looks like KIO (or a related component) can end up waiting on DNS / proxy discovery in a way that blocks UI responsiveness.

At one point, running a network diagnostic script actually “fixed” the freeze immediately — likely because it triggered a DNS/negative-cache behavior, so subsequent WPAD lookups returned quickly and stopped blocking.

Example logs / observations

  • curl -I --max-time 3 http://wpad/wpad.datCould not resolve host: wpad
  • After that, Dolphin/KDE becomes responsive again.
  • In a later test, I confirmed there was nothing listening on port 80, so it’s not a local web server issue.
  • The behavior seems to vary depending on whether wpad resolves fast or times out.

Workarounds I had to do

  1. Disable WPAD/auto proxy in KDE settings
    System Settings → Network → Proxy → set No Proxy (disable automatic/WPAD).
  2. Hard block wpad to avoid DNS timeouts
    Adding to /etc/hosts:
  • 0.0.0.0 wpad
  • ::1 wpad
  1. I also discovered a related problem: my ~/.config had wrong permissions (not writable), so KDE couldn’t save proxy settings properly. That made it extra painful because the proxy configuration would not persist.

Why I’m posting

I think the default behavior and/or the implementation path is too fragile:

  • A single misconfigured network or DNS environment can lead to UI stalls (and it feels like “system freeze” to end users).
  • WPAD is often not needed on home networks and can be a security/compatibility footgun.
  • Even if WPAD is enabled, a failure to resolve/fetch should be handled asynchronously and non-blocking, with strict timeouts, and never in a way that blocks Dolphin/KIO UI.

Suggestion

Could we consider:

  • Safer KDE defaults on Tumbleweed (e.g. disable WPAD by default, or make it opt-in), or
  • Ensure WPAD discovery in KIO/KDE proxy handling is non-blocking with hard timeouts/retries, and doesn’t freeze Dolphin or the session.

If needed I can provide my netdiag bundles and more detailed traces. I’d also appreciate pointers on where best to file this (KDE upstream vs openSUSE bugzilla, which component: kio / kio-extras / plasma-nm / systemsettings?).

Thanks for looking into it — right now WPAD can seriously impact stability on a fully updated Tumbleweed KDE desktop.

If you want, I can tailor this post to include your exact Tumbleweed kernel/Plasma versions (from uname -a, plasmashell --version) and a short “Steps to reproduce” section that forum maintainers usually like.

netdiag.sh

#!/usr/bin/env bash
set -u

TS=“$(date +%Y%m%d_%H%M%S)”
LOGDIR=“$HOME/netdiag_$TS”
mkdir -p “$LOGDIR”

wszystko co idzie na stdout/stderr zapisuj do pliku + pokazuj w terminalu

exec > >(tee -a “$LOGDIR/diag.txt”) 2>&1

echo “=== netdiag start: $TS ===”
echo “LOGDIR=$LOGDIR”
echo

echo “## System”
uname -a || true
cat /etc/os-release 2>/dev/null || true
date || true
echo

echo “## Sieć: interfejsy / trasy”
ip a || true
echo
ip r || true
echo

domyślny interfejs

IFACE=“$(ip route get 1.1.1.1 2>/dev/null | awk ‘{for(i=1;i<=NF;i++) if($i==“dev”){print $(i+1); exit}}’)”
echo “Default IFACE=${IFACE:-}”
echo

echo “## DNS (systemd-resolved / resolvectl)”
resolvectl status || true
echo
cat /etc/resolv.conf 2>/dev/null || true
echo

echo “## NetworkManager (jeśli jest)”
nmcli -v 2>/dev/null || true
echo
nmcli general status 2>/dev/null || true
echo
nmcli connection show --active 2>/dev/null || true
echo
nmcli dev show 2>/dev/null | sed -n ‘1,220p’ || true
echo

echo “## Proxy / WPAD (środowisko + szybki test pobrania PAC)”
env | grep -iE ‘http_proxy|https_proxy|all_proxy|no_proxy’ || true
echo

WPAD test (jeśli w sieci działa WPAD, to to często zdradza problem bez VPN)

curl -m 5 -sv http://wpad/wpad.dat -o “$LOGDIR/wpad.dat” 2>“$LOGDIR/wpad_curl_stderr.txt” || true
echo “WPAD curl stderr zapisany: $LOGDIR/wpad_curl_stderr.txt”
echo “WPAD dat (jeśli pobrano): $LOGDIR/wpad.dat”
echo

echo “## Testy podstawowe: IP vs DNS”
ping -c 2 1.1.1.1 || true
ping -c 2 8.8.8.8 || true
ping -c 2 example.com || true
echo

echo “## Testy DNS: porównanie resolverów (router vs 1.1.1.1 vs 8.8.8.8)”

losowa subdomena example.com powinna dać NXDOMAIN (jeśli nie, może być DNS hijack / “search assist”)

RAND=“$(tr -dc a-z0-9 </dev/urandom | head -c 12)”
echo “Random host: $RAND.example.com

if command -v dig >/dev/null 2>&1; then
dig +time=2 +tries=1 example.com || true
dig +time=2 +tries=1 @1.1.1.1 example.com || true
dig +time=2 +tries=1 @8.8.8.8 example.com || true
echo
dig +time=2 +tries=1 “$RAND.example.com” || true
dig +time=2 +tries=1 @1.1.1.1 “$RAND.example.com” || true
dig +time=2 +tries=1 @8.8.8.8 “$RAND.example.com” || true
elif command -v drill >/dev/null 2>&1; then
drill example.com || true
drill @1.1.1.1 example.com || true
drill @8.8.8.8 example.com || true
echo
drill “$RAND.example.com” || true
else
echo “Brak dig/drill. Zainstaluj np. ‘bind-utils’ (dig) lub ‘ldns’ (drill).”
fi
echo

echo “## Trasa (czy bez VPN idzie inaczej)”
command -v traceroute >/dev/null 2>&1 && traceroute -n -m 12 1.1.1.1 || true
command -v traceroute >/dev/null 2>&1 && traceroute -n -m 12 example.com || true
echo

echo “## Nasłuch lokalny (czy coś słucha na portach) — zapis do pliku”
sudo ss -tulpn > “$LOGDIR/ss_listening.txt” 2>“$LOGDIR/ss_err.txt” || true
echo “ss: $LOGDIR/ss_listening.txt (err: $LOGDIR/ss_err.txt)”
echo

echo “## Logi usług (boot bieżący) — do plików”
sudo journalctl -b -u NetworkManager > “$LOGDIR/journal_NetworkManager.txt” 2>/dev/null || true
sudo journalctl -b -u systemd-resolved > “$LOGDIR/journal_resolved.txt” 2>/dev/null || true
echo “journal: $LOGDIR/journal_NetworkManager.txt, $LOGDIR/journal_resolved.txt”
echo

echo “## (Opcjonalnie) Przechwyt DNS tylko na porcie 53/5353 do PCAP (60s)”
if [[ -n “${IFACE:-}” ]] && command -v tcpdump >/dev/null 2>&1; then
echo “Start tcpdump 60s → $LOGDIR/dns_60s.pcap”
sudo timeout 60s tcpdump -i “$IFACE” -n -s 0 -w “$LOGDIR/dns_60s.pcap”
‘(udp port 53 or tcp port 53 or udp port 5353)’
2> “$LOGDIR/tcpdump_err.txt” || true
echo “tcpdump err: $LOGDIR/tcpdump_err.txt”
else
echo “Pomijam tcpdump (brak IFACE lub tcpdump).”
fi

echo
echo “=== netdiag done ===”
echo “Wyniki w: $LOGDIR”

2

This is the openSUSE user forum. For sugestions/bugreports you need to file a bug at https://bugzilla.opensuse.org/ or at upstream when you want a permanent solution.

Also next time please use preformatted text tags </> in the forum editor to keep terminal output/config files readable.

To provide terminal ouput in english, prepend LANG=C to the command .

1 Like