4

Noticed an interesting thing whilst debugging one of my websocket applications that Google Chrome will push out 3 http requests upon a network connection status changing;

Quite disconcerting and looks almost as if some malware is checking out to a random server.

I don't quite understand the why though since they all return a 502 or have no response code at all since the destination does not exist.

On Disconnect:

Connection Down

Reconnect:

Connection Up

I guess the main question is this normal and what the use is; howcome they wouldn't go for a dns lookup that actually exists?

cillierscharl
  • 143
  • 4
  • 1
    *howcome they wouldn't go for a dns lookup that actually exists?* Actually exists relative to who? Relative to my PC? `zcpluzmxwt` probably won't get anywhere. Relative to your malware-riddled box? `zcpluzmxwt` is probably in your `hosts` file. – ta.speot.is Apr 08 '12 at 09:37
  • @ta.speot.is nothing in there that looks anything like the above, like I said its only when chrome is running that these requests are seen. – cillierscharl Apr 08 '12 at 09:42
  • thanks for the comment though, @ta.speot.is ; seems the worst is always the first option. – cillierscharl Apr 08 '12 at 11:41

2 Answers2

7

As I remember, this is a special feature of Chrome. This feature is used to help to detect if your provider specially process invalid dns entries. chromium bugtracker - latest message

crea7or
  • 949
  • 4
  • 12
0

It looks alarming but is apparently normal and intended behaviour in Chrome.

In order to use the address/location bar for searches and not just URLs, Chrome needs to check that the entered text isn't a valid domain before it can treat it as a search term. However, some IPSs serve advertising pages in response to non-existent domains (DNS Hijacking), which would make it appear that every domain exists! To test for this, Chrome will query some random, likely bogus single-word domains and see if they map to the same IP address. If they do, Chrome can assume that the upstream ISP is performing DNS hijacking.

See also Chrome: DNS requests with random DNS names: malware?, Chromium issue 47262

screwtop
  • 103
  • 4
  • Wouldn’t say it’s harmless. If they can redirect when you attempting to view a domain that doesn’t exist they can redirect you when a domain does exist – Ramhound Apr 17 '20 at 04:48
  • @Ramhound Certainly DNS hijacking in general is far from harmless, but the original question seemed to be asking specifically about Chrome's unusual behaviour. I'll see if I can reword the answer better. – screwtop Apr 20 '20 at 05:52