Overview

Sometimes you may find strange looking domains listed in your reports.  See the examples below of what these may look like.

iafkbge
nwvkqqojgx
uefakmvidzao
claeedov
cjkcmrh
cjemikolwaczyb
ccshpypwvddmro
cdsvmfjgvfcnbob
cegzaukxjexfrk
ceqmhxowbcys
cewigwgvfd
cexggxhwgt

 
What are they, and why do they happen?

Unfortunately, not all ISP's follow RFC. These obscure DNS requests we see in Umbrella reports are Google Chrome's response to that. Google developed to test that Chrome performs to protect end-users.

When met with DNS requests for non-existent domains, the ISP's in question often respond with an A record belonging to the ISP. The landing page will have advertisements along with a message such as "did you mean....". An overview of this type of manipulation and associated consequences can be seen here.

However, as per the RFC, when a DNS request for a non-existent domain is made, the appropriate response is NXDOMAIN. Since ads are typically unwanted, Google developed a method to test for this behaviour. On startup, Chrome sends 3 requests and checks to see what the response is. If the test domains resolve to the same A record instead of resolving to NXDOMAIN, Chrome will respond accordingly and hide the ads from the end-user.  

This is not the only cause for random-looking DNS requests but it is one of the most common causes. The key to identifying Chrome as the cause would be seeing the queries sent in groups of 3 per internal host.