[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Jim Reid jim at rfc1035.com
Tue Nov 26 20:58:18 UTC 2013

On 26 Nov 2013, at 19:23, Vernon Schryver <vjs at rhyolite.com> wrote:

> If the probing test requests are for domains that Google owns or has
> permission for junk queries, then no one outside Google has standing
> to complain.

+1. However the lookups I was talking about are not going to name servers that google owns or have agreed to receive that traffic.

> On the other hand, if Google is deploying something that does random
> queries of third party DNS servers, then Google is being almost as
> evil as the "sender verification" spammers who sent unsolicited
> bulk email (spam) to the every apparent source of incoming mail,
> including obviously forged spam.

I know that 1 root server operator gets over 100M+ lookups a day for unique TLD strings that are 10 characters long. These patterns are also found as second-level labels in QNAMEs at the root, usually for non-existent TLDs such as .home. [They might be even deeper in the QNAME: nobody's looked AFAIK.]Some of this is mentioned in passing in the gTLD name collision study I worked on this summer. The report's here:

When I was counting the incidence of TLD labels in the root server data, there were too many unique 10-character strings to actually count them all using the hardware that was available.
If I have nothing better to do and someone *really* wants this info, I'll go back and get those answers using the spiffy hardware that DNS-OARC got recently.

> Every entity that outsources its abuse detection without the informed
> consent of the outside providers of labor and other resources is an
> evil abuser, regardless of the abuse being detected, the real or claimed
> intentions of the outsourcer, and its other good deeeds.

You might very well think that. I couldn't possibly comment. :-)

Now it might be that some of the above traffic is the result of misconfigured stub resolvers and dumb CPE. That doesn't make this OK. Chrome is generating bazillions of one-time-only queries for non-existent TLDs. These hit the root. And because these are essentially use-once strings, any intermediate caches are useless. Lookups for one-time-only.home or whatever are a bit less nasty.

> Is whatever Google doing documented somewhere?  I didn't see anything
> with https://www.google.com/search?q=chromium+nxdomain+detection+dns
> and one or two similar searches.

See https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/intranet_redirect_detector.cc&q=redirect%20intra&sq=package:chromium&l=5

There was another link in the above report but that has gone away.

More information about the dns-operations mailing list