
Chrome connects to three random domains at startup - tbassetto
https://mikewest.org/2012/02/chrome-connects-to-three-random-domains-at-startup
======
subwindow
This has some interesting ramifications- some network security appliances (I
work for a company that makes one) look for suspicious sets of DNS requests
that match the Domain Generation Algorithms that malware like Conficker use to
find a command and control server.

These "random" requests look almost exactly the DGA for Murofet- a Zeus
variant. This has caused some problems for us (and other vendors, I would
assume) in the form of massive numbers of false positives. In short, it's been
kind of a PITA.

I wish they wouldn't do this, but it is definitely a tough problem to solve
and I can't think of a better approach off of the top of my head. The ultimate
culprit is the ISPs that return an A record for a DNS request that really
should return NXDOMAIN. These ISPs are essentially breaking the Internet, and
we're all just scrambling to put band-aids in place to get it to work again.

~~~
jsilence
This is a good reason not to stick to the DNS-resolver the ISP gives you with
DHCP, but to explicitly set it to a DNS resolver you trust.

Wondering why Chrome is not simply using the Google resolver on 8.8.8.8. Of
course this would yet be another band aid that breaks the internet even
further, when applications start implementing their own network stack.

~~~
st0p
We use chrome for internal apps. Forcing you to use 8.8.8.8 means our users
have to remember ip addresses instead of <http://nameofapplication/>

Not a problem for me, but I'm sure a lot of people would complain.

~~~
justincormack
Put your internal apps on real IP addresses with real DNS and just firewall
them?

~~~
st0p
So instead of having these machines in our serverroom inside our office, we'd
have to pay for using them in a data center and register URL's, only because
some ISP's use an insane way to handle NXDOMAIN? There are many valid reasons
to "go into the cloud", but this is not one of them.

~~~
justincormack
You can assign real ip addresses to machines in your server room, give them
dns, and firewall them externally. Just ask your isp for some addresses. There
is no reason why this is any different from using nat in security, but you can
use real dns. You can use ipv6 if you can't get ipv4 addresses.

~~~
jmathai
Or, the browser can just not default to name servers it deems best for
everyone and work how it's always worked: well.

This just seems like adding duck tape to a self-inflicted problem.

~~~
lmm
Non-publicly-routable addresses are a hack that will cause you nothing but
trouble, and are going away with IPv6, so you might as well move away from
them now.

(Not that having chrome use 8.8.8.8 is a good idea either. As is often the
case with hacks, either on its own works fine but the two interact poorly.)

~~~
jmathai
Not sure I agree that non-publicly-routable addresses are a hack. The ability
to run your own DNS server and having a firewall are pretty elegant components
of most networks.

That being said, it very well maybe time to find a better alternative :).

~~~
lmm
Firewalls have their place but should not be conflated with routing; the two
are separate, and treating them as the same can lead to confusion and broken
security.

As for DNS, it has a very elegant hierarchical delegation system, such that
organizations can control their own while also ensuring that all the world's
DNS servers give consistent answers (and if you need short names for your
internal systems on your own network, that's what search paths are for).

------
cydonian_monk
I noticed this two years ago, and eventually had to stop using Chrome (and
Chromium browsers) as it would result in my ISP blocking all DNS requests from
my IP (for a seemingly random amount of time). Even requests to public DNS
would fail. It took awhile to identify Chrome as the culprit, and I wasn't
convinced after seing the bogus DNS requests in TCP traps. So I started a
cycle of using/not using Chrome, and it became obvious.

The easy solution was to stop using Chrome. The hard solution was to move.
I've done both, but have yet to start using Chrome again.

~~~
kmm
I don't understand. Why would your ISP block your IP for bogus DNS requests?
And why are they monitoring your traffic to public DNS servers? I presume this
means they have to look at all traffic that goes over port 53. Is there a
security concern?

~~~
brandon
This is common practice if the queries appear to be originating from worms
like Conficker, etc. Others have reported that this behavior of Chrome's can
set off false IDS alarms for the same reason.

~~~
windsurfer
And it's also common practice to send all bad DNS queries to an ad-ridden
search page. Go figure.

------
kamechan
if you go to chrome://chrome-urls/ and then down to net-internals, you can get
a pretty transparent view of exactly what chrome is doing. plus there's a
bunch of other stuff there too.

~~~
junktest
chrome://net-internals/#dns

~~~
rhplus
It appears that Chrome aggressively prefetches DNS results for most of the
links in pages you visit too. It's quite strange to watch as DNS requested for
hundreds of domains you haven't even intended to visit start flowing past. The
first time I saw it I had to check that nothing unscrupulous was running on my
computer...

~~~
andrewcooke
that's configurable in preferences / under the hood / privacy (the
"prediction" option - see
[https://support.google.com/chrome/bin/answer.py?hl=en&an...](https://support.google.com/chrome/bin/answer.py?hl=en&answer=114836))

i have all those disabled and chrome still appears fast to me.

------
clsdaniel
Interesting, yesterday I moved to a local caching DNS server (much faster and
more reliable than what isp provided), however I forgot to set it to run at
start up, first thing I do today is try to get to my gmail account, everything
is working ok then I try to enter another site, dns lookup error, then I
remembered I had named turned off, which means that chrome may have hardcoded
google sites ip addresses or is caching them (which is less probable the other
site didn't work).

------
unseen
Neat feature. In my opinion, they should go even further and make use of the
information and inform the user, too:

"Your ISP (network administrator, ..) is intercepting and manipulating DNS
requests. Do you want to use Google DNS instead?"

Comes in real handy when we need to have a "DnsManipulationDetector" in the
future that checks if your DNS is actively censoring...

~~~
gioele
> "Your ISP (network administrator, ..) is intercepting and manipulating DNS
> requests. Do you want to use Google DNS instead?"

I would prefer

"Your ISP (network administrator, ..) is intercepting and manipulating DNS
requests. Do you want to install a local caching DNS server and use it
instead?"

Unbound [1] is a local DNS server that I have installed on all my machines.
Small, fast, security-oriented, IPv6, BSD, made by NLnet Labs.

[1] <http://unbound.net/>

~~~
lmm
So you'd install a local caching DNS server that only chrome would use... and
this is better than chrome doing its own DNS lookups how?

~~~
gioele
The grandparent said "use Google DNS" not "chrome doing its own DNS lookup".

If you use Google's DNS (or anybody's DNS) you are basically telling them
which sites your are visiting. If you have a local DNS resolver you will not
leak all that information to a single third party.

~~~
lmm
I don't understand. Your local DNS resolver still needs an upstream; either
that is your existing broken DNS server, or it's google's DNS server; in
either case we're back where we were. Sure, your local DNS resolver could do
some caching, but so could chrome; and a local resolver doesn't combine your
lookups with those of your neighbours, so you don't get any privacy advantage
that way either.

~~~
gioele
> I don't understand. Your local DNS resolver still needs an upstream

No, not a single upstream.

When my browser asks my server on 127.0.0.1 to lookup news.ycombinator.com it
will first contact the root DNS server, then `com` DNS server, then then
`ycombinator.com` DNS server. Who knows about the fact that I was looking for
`news.ycombinator.com`? only the `ycombinator.com` DNS server. Who knows about
the fact that I was looking for `ycombinator.com`? only the `com` DNS server.
Now I go to slashdot.org. Who will know about that? Only the `org` DNS server.
If you use the Google DNS, Google will know that you requested both
`news.ycombinator.com` and `slashdot.org`. Do you want them or any single
company to have all these information?

Obviously you need an upstream, an authoritative server somewhere. But why do
you need to concentrate all these requests on a single DNS server? ISP are
actively tracking users and, probably, selling their DNS histories to
advertiser. Nominum (makers of a widespread DNS server) is quite explicit
about it: «Data gathering and measurement are a vital part of network
operations and DNS data represents a rich vein to be mined that has been
underutilized in the past». [1]

[1] <http://www.nominum.com/technology/analytics>

~~~
lmm
So you'd contact the root server directly? If that's really desirable behavior
(and I suspect it isn't), why not just make chrome query the root servers and
walk the hierarchy, not using a DNS server at all?

------
iRobot
.. and a really great reason for using open source programs

~~~
basugasubaku
I'm not sure what you meant by that, but the article does in fact link to the
relevant source:

[http://code.google.com/codesearch#OAMlx_jo-
ck/src/chrome/bro...](http://code.google.com/codesearch#OAMlx_jo-
ck/src/chrome/browser/intranet_redirect_detector.cc&l=78)

~~~
skeletonjelly
That might have been his point - that we were able to find out the reasons why
because of it's open source.

------
fourstar
No wonder I've been seeing youporn.com in my history.

------
senthilnayagam
I know one thing chrome leaks memory badly in OSX lion, not sure if these
magic things happening in background has something to do with it

