133

I recently set up NextDNS on my personal devices to further reduce the amount of tracking and ads I'm exposed to. The service comes with built-in analytics that shows a brief overview of your network activity.

Most of the top hits are uninteresting, however there's one domain I couldn't figure out:

Overview of DNS statistics

What's the domain fhepfcelehfcepfffacacacacacacabn?
The seemingly random string gives roughly two pages of Google results, but none of them seem to hold any useful information.

The log table says the entry is a DNS record of type NIMLOC, but that seems like another dead end inquiry-wise.

Etheryte
  • 852
  • 2
  • 7
  • 13
  • For more background information, I'm a developer, hence the localhost entries. I also have a number of Chrome extensions, although I can't find a way to confirm nor deny whether they're linked to the domain. – Etheryte Mar 29 '20 at 14:16
  • 16
    That string also shows up in Google results in a wireshark log posted in 2009, related to a samba bug ( https://bugzilla.samba.org/attachment.cgi?id=4050&action=edit ). So that string is probably not random, it probably means or refers to something. – reed Mar 29 '20 at 14:38
  • 3
    It appears to be some message of NETBIOS Protocol, and maybe your analyser is working on a packet inspection level and picking it as a domain, either ways, this is more of a networking question, check this link: https://www.elitepvpers.com/forum/sro-private-server/1982541-discussion-theory-about-recent-ddos-attacks-4.html – Eibo Mar 29 '20 at 16:15
  • I'm not sure what this has to do with information security? – Conor Mancone Mar 29 '20 at 21:14
  • 6
    @ConorMancone At first, I suspected this to be requests from rogue software or something else of the kind installed on my system, especially given the garbage domain. Further inquiry revealed this was not the case. – Etheryte Mar 29 '20 at 22:55
  • I'd add the device type to the tags (your comment under Miles' answer appears to indicate a Mac). – Peter - Reinstate Monica Mar 31 '20 at 13:24
  • Do you have a cat that likes to sit on keyboards? – bta Mar 31 '20 at 17:30
  • @Peter-ReinstateMonica Good idea, does the tag I added suffice? – Etheryte Apr 01 '20 at 11:23

2 Answers2

253

That domain is an encoded form of the string "WORKGROUP". It is using a variant of hex encoding that uses the letters A-P, instead of the numbers 0-9 followed by A-F.

$ echo fhepfcelehfcepfffacacacacacacabn |
  tr a-p 0-9a-f |
  xxd -r -p |
  xxd

00000000: 574f 524b 4752 4f55 5020 2020 2020 201d  WORKGROUP      .

This appears to be a NetBIOS name, which is why it's padded with spaces to 15 ASCII characters, and then followed by a different character at the end as a suffix. The hex encoding is described in the NetBIOS-over-TCP/UDP Concepts RFC, called "first level encoding". Also, NetBIOS uses DNS record type ID 32 for its "name service" packets; that ID was later allocated to NIMLOC (ref), which explains that part of the log. However I'm not sure exactly what software on your machine is making this DNS query; if you're using Windows, it seems likely to be something at the OS level.

I don't believe the answer from NextDNS support is correct here about the source of this particular query—it is probably not coming from Chrome.

Community
  • 1
Miles
  • 846
  • 1
  • 6
  • 4
  • 6
    Oh, this is super interesting, and a way more revealing than the original answer by the support. How did you figure the letter switch out? – Etheryte Mar 30 '20 at 11:11
  • 39
    Just a hunch. That repeated `CA` pattern looked suspicious, and there were no letters from the end of the alphabet; those things to me suggested an alternate hex encoding. – Miles Mar 30 '20 at 11:16
  • 8
    I left Wireshark recording and the log entries indeed coincide with [NBNS](https://wiki.wireshark.org/NetBIOS/NBNS) requests on port 137. The source of the requests was `usr/sbin/netbiosd`, which is turned on out-of-the-box on Macs. – Etheryte Mar 30 '20 at 15:30
  • 16
    This looks like a typical answer on https://puzzling.stackexchange.com – mafu Mar 31 '20 at 09:00
  • I would note that control character 0x1d is GS, Group Separator. – David Conrad Mar 31 '20 at 14:30
  • 5
    @DavidConrad While true, it doesn't have that meaning in this context; see [the section of the NetBIOS Wikipedia page about suffixes](https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes). – Miles Mar 31 '20 at 17:45
  • @Miles Ah, interesting, thank you. – David Conrad Mar 31 '20 at 20:40
35

Update: This answer by Miles is a better insight, the explanation given by NextDNS support seems wrong.

I contacted NextDNS support asking for more details and they said this is Google Chrome testing internet connectivity.

Knowing where to look, I found numerous references for the same behavior: This article from 2012 discusses the mechanics with similar jumbled domains, albeit shorter strings. This Chromium ticket from 2010 reports a bug in the related behavior and also shows similar garbage domains.

In conclusion, this seems safe, albeit unexpected.

Etheryte
  • 852
  • 2
  • 7
  • 13
  • 10
    Doesn't seem safe to me. Seems ripe for hacking. – LabGecko Mar 29 '20 at 23:24
  • 3
    @LabGecko Well that probably depends to a large extent on what (if anything) gets done with the DNS response after it comes back to the phone. – David Z Mar 29 '20 at 23:53
  • It seems likely that if it's Chrome then others should be able to reproduce. I would expect that the random domains are unique to users, this may be of interest to privacy-concerned users. – shanecandoit Apr 01 '20 at 22:34