1

I am running a squid proxy server on my network which my computers connect through to access the internet. I have noticed several odd entries in the squid access.log file around the same time everyday, where it appears that some of my computers are connecting to some suspicious url using the HEAD method. Could this possibly be malicious? The strange thing is if I directly try to access these urls in my web browser, I get a domain does not exist error message. Below are two entries from the access.log file:

1459622257.968    272 my_ip_address TCP_MISS/503 368 HEAD http://davbktmzjytczu/ - DIRECT/davbktmzjytczu text/html
1459622257.975    276 my_ip_address TCP_MISS/503 368 HEAD http://ogkmqztbntzxcxf/ - DIRECT/ogkmqztbntzxcxf text/html
synthesis
  • 155
  • 1
  • 1
  • 15

1 Answers1

4

This is just Google Chrome checking if your ISP is doing DNS hijacking. It checks if these random hostnames will resolve to some valid IP (i.e. hijacked to serve "helpful information", often with ads in it) or will be reported as unresolveable. Nothing to worry about. For more details see Chromes startup random DNS queries ... or Unusual HEAD requests to nonsense URLs from Chrome.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424