Overview
Sometimes you may find strange looking domains listed in your reports. See the examples below of what these may look like.
iafkbge
nwvkqqojgx
uefakmvidzao
claeedov
cjkcmrh
cjemikolwaczyb
ccshpypwvddmro
cdsvmfjgvfcnbob
cegzaukxjexfrk
ceqmhxowbcys
cewigwgvfd
cexggxhwgt
What are they, and why do they happen?
As it turns out this is actually legitimate behaviour caused by Google Chrome. Some ISPs will respond to DNS queries for non-existent domains (often due to typo's) with an often unwanted advertisement along the lines of "did you mean this thing?".
As per the RFC, when a DNS request for a non-existent domain is made, the appropriate response is to answer with NXDOMAIN. However that is not what some ISPs are doing.
Some ISPs have been improperly responding to DNS requests for non-existent domains with an A record for a page that they own, which is typically an advertisement. An overview of this type of manipulation and associated consequences can be seen here.
As this behaviour is more than likely unwanted, Google began combatting it by sending 3 requests shortly after startup and checks to see what the response is. If Google Chrome see's that these requests are all resolving to the same A record instead of resulting in an NXDOMAIN it knows to respond accordingly and to not display these ads to the end user.
This is not the only cause for random looking DNS requests, but is quite common. The key to identifying Chrome as the cause would be seeing the queries sent in groups of 3 per internal host.
Comments
1 comment
How do I suppress (chrome) random requests in the umbrella statistic? The relation seems to be 5: 100. The domain statistics are looking unreadable.
Please sign in to leave a comment.