Chromium's Impact on Root DNS Traffic

438 点作者 jakob223将近 5 年前

20 条评论

xg15将近 5 年前

Couldn't the traffic be somewhat reduced by changing the time and order of operations?Currently, Chrome does the following:(1) on each network change, send three DNS requests with random hostnames.(1a) If at least two of the queries resolve to the same IP, store the IP as the "fake redirect address".(2) on a user search, query the first search term as DNS.(2a) If the query result is NXDOMAIN or matches the fake redirect address, do nothing. Otherwise, show the "local domain" hint.Instead, it could do:(1) on a user search, query the first search term as DNS.(1a) if the query comes back with NXDOMAIN, don't show the hint and stop. We're done.(2) otherwise, make two more DNS queries with random domain names to check for fake redirects.(2a) if the two queries resolve to the same IP as the first one, we have a fake redirect. Don't do anything. Otherwise, show the "local domain" hint.Results of step (2) could be cached until a network change.This would only require 2 instead of 3 probe queries and only if the user actually searched for something and if the search term actually caused a DNS match (fake or genuine).

评论 #24236539 未加载

评论 #24235601 未加载

评论 #24239096 未加载

jve将近 5 年前

The first question I asked to myself: Is there a way to disable it? Networks i'm attached to, don't do any hijacking.And yes, luckily there is a policy to disable it: <a href="https://cloud.google.com/docs/chrome-enterprise/policies/?policy=DNSInterceptionChecksEnabled" rel="nofollow">https://cloud.google.com/docs/chrome-enterprise/policies/?po...</a>Registry key: Software\Policies\Google\Chrome\DNSInterceptionChecksEnabledPowerShell: Set-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome -Name DNSInterceptionChecksEnabled -Value 0 -Type DWordIf you are managing Chrome via GPO, you should do it via GPO. Templates can be downloaded here: <a href="https://chromeenterprise.google/browser/download/" rel="nofollow">https://chromeenterprise.google/browser/download/</a>

评论 #24233240 未加载

peteretep将近 5 年前

Wait, so Chrome leaks the first word of my searches to my ISP? That doesn’t sound like something I want to happen

评论 #24233970 未加载

评论 #24235375 未加载

评论 #24234009 未加载

评论 #24233722 未加载

评论 #24234127 未加载

评论 #24234109 未加载

评论 #24235745 未加载

评论 #24235508 未加载

评论 #24234350 未加载

评论 #24234353 未加载

0x0将近 5 年前

Verisign has nobody but themselves to blame, for "inventing" this with its SiteFinder fiasco in 2003.

评论 #24238679 未加载

评论 #24234508 未加载

kevingadd将近 5 年前

For me, the kicker: if I'm reading it correctly, over 40% of DNS traffic to the root server they examined is just diagnostic probes from Google Chrome being used to spot malicious DNS servers.

评论 #24232338 未加载

评论 #24232344 未加载

russellbeattie将近 5 年前

I'm sure anyone here who has set up a PiHole ad-blocking DNS server at home has run into these random domain requests and wondered what was going on. At first I thought one of my devices had a virus on it or something until I did a few searches and discovered it was Chrome being ludicrous. (Next topic: Getting Chrome to actually use the DNS provider that you specify and nothing else...)

评论 #24234057 未加载

评论 #24232860 未加载

padde将近 5 年前

It would be interesting to have an estimate of the energy consumed (globally) by this Chrome/Chromium feature...

评论 #24236494 未加载

malkia将近 5 年前

You can see the code online through the CS browser - <a href="https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/intranet_redirect_detector.cc;l=148?q=%22we%20generate%20a%20random%20hostname%22&ss=chromium" rel="nofollow">https://source.chromium.org/chromium/chromium/src/+/master:c...</a>

tinus_hn将近 5 年前

Fallout from the ISPs effort to hijack failed DNS queries.

_qulr将近 5 年前

On macOS you can block these with the excellent product Little Snitch.I've got several rules for Google Chrome in Little Snitch that seem to do the trick. Deny outgoing UDP connections, and Deny outgoing TCP connections to port 80 for the IP addresses and domain for my ISP. You can see these if you monitor traffic.

kevincox将近 5 年前

It seems like they could rotate these much less frequently to let caches work. It seems that these are random to avoid DNS servers hardcoding a response for them. However they could be pseudo random based on the current day, month or release so that it would be hard enough to intercept them (unless the DNS server was really committed to doing this, but there are other ways to achieve this) while still allowing a lot of caching.I think the only downside is that you would leak some information about your system clock.

评论 #24235647 未加载

jiggawatts将近 5 年前

I'm curious to know how much data the root namespace servers put out in terms of gbps, but this doesn't seem to be public information.

评论 #24232555 未加载

评论 #24232837 未加载

评论 #24234236 未加载

csagan5将近 5 年前

ungoogled-chromium[1] and Bromite[2] have had a patch to disable this for a while now[1] <a href="https://github.com/Eloston/ungoogled-chromium/blob/14fb2b0/patches/extra/ungoogled-chromium/disable-intranet-redirect-detector.patch" rel="nofollow">https://github.com/Eloston/ungoogled-chromium/blob/14fb2b0/p...</a>[2] <a href="https://github.com/bromite/bromite/blob/410fc50/build/patches/ungoogled-chromium-Disable-intranet-redirect-detector.patch" rel="nofollow">https://github.com/bromite/bromite/blob/410fc50/build/patche...</a>

jacobsenscott将近 5 年前

I can't get past the `size_t i` rather than `int i` in the first loop. Why. I suppose it is some type of defensive programming.

评论 #24238111 未加载

1vuio0pswjnm7将近 5 年前

Why does Chrome (Google) need to know whether DNS is being intercepted? What actions does Google take based on the answer?Note that under this crude test of sending queries for unregistered domains, a user who administers their own DNS could be indistingushiable from "DNS interception" by an ISP or other third party.I administer my own DNS. I do not use third party DNS. These random queries would just hit my own DNS servers, not the root servers.

评论 #24233227 未加载

评论 #24233181 未加载

评论 #24234153 未加载

alpb将近 5 年前

I think I've understood the most of the article but I missed the initial part. Why is there a probe in Chrome that uses DNS to query random 7-15 character long hostnames, only to get NXDOMAIN and burden the root nameservers? What does this probe achieve?

评论 #24232255 未加载

lionkor超过 4 年前

Why is the C++ code labelled to be coming from some file .c?

stefan_将近 5 年前

Why on earth is there someone with shell access to the DNS root zone and running tcpdump?

评论 #24233405 未加载

评论 #24233958 未加载

mschuster91将近 5 年前

The worst thing is, this will not even detect a well written NXDOMAIN interceptor that only hijacks requests to valid top level domains.It's about time for DNSSEC to be available on all TLDs and for browsers to nag if it is broken.

评论 #24238381 未加载

评论 #24233945 未加载

评论 #24234733 未加载

评论 #24233483 未加载

elric将近 5 年前

I don't get this feature. And I really hate that it's present in pretty much every browser these days. If I want to type an URL, I'll use the address bar. If I want to search, I'll use the search bar. Different bars with different keyboard shortcuts and different purposes. Why do so many browsers merge these two? Screens are insanely wide these days, so screen real estate can't be the reason. Are we trying to trick users into thinking that URLs aren't a thing anymore?Maybe this "omnibox" doesn't know whether I want to enter a hostname or a search term, but I do.

评论 #24233328 未加载

评论 #24232897 未加载

评论 #24233150 未加载

评论 #24232876 未加载