Introduction
This document describes the nature and causes of random DNS requests that can appear in activity reports and how to identify their origin.
Examples of Random DNS Requests
You can find examples of these requests, which often appear as unusual or seemingly random strings:
iafkbge
nwvkqqojgx
uefakmvidzao
claeedov
cjkcmrh
cjemikolwaczyb
ccshpypwvddmro
cdsvmfjgvfcnbob
cegzaukxjexfrk
ceqmhxowbcys
cewigwgvfd
cexggxhwgt
Explanation of Random DNS Requests
Not all internet service providers abide by RFC rules for DNS responses. These obscure DNS requests visible in Activity Search Reports result from Google Chrome’s method of sending unique requests to protect end users.
Why Do These Requests Occur?
- Some internet service providers respond to DNS queries for non-existent domains with an A record pointing to a provider-owned address. The resulting landing page typically displays advertisements and messages such as "did you mean…". An overview of this type of manipulation and associated consequences is explained in this Wikipedia article on DNS Hijacking.
- According to RFC standards, the correct response for a DNS request to a non-existent domain is NXDOMAIN. Since ads are typically unwanted, Google developed a method to test for this behaviour. On startup, Chrome sends 3 requests and checks to see what the response is. If the test domains resolve to the same A record instead of resolving to NXDOMAIN, Chrome detects this behavior and hides advertisements from the end user.
- This technique is not the only cause for random-looking DNS requests, but it represents one of the most common scenarios.
How to Identify Chrome as the Cause
- Look for groups of three unusual DNS queries sent from the same internal host. This pattern indicates Chrome is generating the test queries.
Feedback