62

I have noticed unusual traffic coming from my workstation the last couple of days. I am seeing HEAD requests sent to random character URLs, usually three or four within a second, and they appear to be coming from my Chrome browser. The requests repeat only three or four times a day, but I have not identified a particular pattern. The URL characters are different for each request.

Here is an example of the request as recorded by Fiddler 2:

HEAD http://xqwvykjfei/ HTTP/1.1
Host: xqwvykjfei
Proxy-Connection: keep-alive
Content-Length: 0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

The response to this request is as follows:

HTTP/1.1 502 Fiddler - DNS Lookup Failed
Content-Type: text/html
Connection: close
Timestamp: 08:15:45.283

Fiddler: DNS Lookup for xqwvykjfei failed. No such host is known

I have been unable to find any information through Google searches related to this issue. I do not remember seeing this kind of traffic before late last week, but it may be that I just missed it before. The one modification I made to my system last week that was unusual was adding the Delicious add-in/extension to both IE and Chrome. I have since removed both of these, but am still seeing the traffic. I have run virus scan (Trend Micro) and HiJackThis looking for malicious code, but I have not found any.

I would appreciate any help tracking down the source of the requests, so I can determine if they are benign, or indicative of a bigger problem. Thanks.

user1686
  • 8,717
  • 25
  • 38
JeremyDWill
  • 883
  • 1
  • 7
  • 10

3 Answers3

84

This is actually legitimate behaviour. Some ISPs improperly respond to DNS queries to non-existent domains with an A record to a page that they control, usually with advertising, as a "did you mean?" kind of thing, instead of passing NXDOMAIN as the RFC requires. To combat this, Chrome makes several HEAD requests to domains which cannot exist to check how the DNS servers resolve them. If they return A records, Chrome knows to perform a search query for the host instead of obeying the DNS record so that you are not affected by the ISPs improper behaviour. [1]

Scrivener
  • 3,106
  • 1
  • 20
  • 23
  • Good answer, I think this is great as my ISP does this for business class. +1 – Jacob Feb 14 '11 at 16:12
  • 4
    @Jacob: Almost always, in my experience anyway, if you call up business support and kick and scream for a while, they'll give you another set of upstream DNS servers that don't have that "feature" enabled. I know that Verizon and One Communications both have alternate servers, though they go out of their way not to advertise them. – Scrivener Feb 14 '11 at 16:33
  • Really, because I called Verizon to complain that I have servers and that my website requires NS lookups, they said something close to too bad – Jacob Feb 14 '11 at 16:50
  • 3
    I'm glad to find out this is not some strange infestation on my machine. Thanks for the informative answer. – JeremyDWill Feb 14 '11 at 18:46
  • 6
    @Jacob: You didn't hear this from me, and it might not the same for you as it was for me, but... changing the last octet of the DNS server from .12 to .14 removes the "DNS assistance feature". – Scrivener Feb 14 '11 at 19:29
  • 2
    Nice one. I asked about this on superuser.com and got the answer "d00d u got a infection" (I paraphrase). – mackenir Mar 10 '11 at 17:46
  • 5
    It would be nice if that was documented. Like, really nice. – chiggsy May 08 '11 at 17:34
  • 5
    Would have been much nicer of them to embed chrome_dns_test in the URL. To the pessimistic, it looks like a virus ping. – crokusek Sep 10 '14 at 22:06
  • 1
    Google's public DNS servers are free to use and easy to remember: 8.8.8.8 & 8.8.4.4. – SineSwiper Dec 16 '15 at 23:51
  • I have seen this too but with Fiddler configured to capture non browser traffic only which I assume means it was not Chrome. – chrisb Jan 20 '17 at 08:25
  • As of now, Verizon documents the servers that can be used to circumvent the hijacking officially in their own knowledge base: [Opt Out of DNS Assistance](https://www.verizon.com/support/residential/internet/home-network/settings/opt-out-of-dns-assist). – Daniel Saner Feb 05 '20 at 13:17
2

In working with Microsoft regarding this issue and how IE9 behaves, we have found information from Verizon in how to opt out of this service. They call it "DNS Assistance". In working with another user on this issue who has BrightHouse ISP in FL,they have the same thing going on. But, they too, provide information on how to opt out of this service. I like how they call it a service. :)

Mike Dowd
  • 21
  • 1
0

Another possibility "could have been trojans checking to see if they're running in a VM" -- If those fake domains 'connect' because of the VM trying to record packets, the trojan will self-terminate.

xpt
  • 113
  • 1
  • 6