back to article FYI: Chromium's network probing accounts for about half DNS root server traffic, says APNIC

The Google Chromium team's effort to detect when ISPs are trying to hijack domain name typos has led to a lot of network load: the browser's query response testing routine now accounts for about half of all DNS root server traffic according to a new study. In a post published Friday to the blog of APNIC, the Regional Internet …

  1. Alister Silver badge

    classic example of the law of unintended consequences.

    1. Pascal

      Unintended? That was 100% by design.

      1. Jon 37

        It's an unintended consequence of Internet providers hijacking NXDOMAIN responses.

        And certainly the Chrome team didn't intend this feature to be responsible for half the root-domain DNS queries!

        1. karlkarl Silver badge

          Yes they did!

          So now they can turn around and say:

          "Because we are such good guys, we are now going to use our own "special" server for DNS queries before we pass the request onto the standard"

          1. Anonymous Coward
            Anonymous Coward

            Don't Google have their own DNS servers? I'm sure that if you use those servers, you won't get this problem!*

            *sarcasm

  2. Martin an gof Silver badge

    Out of interest then...

    Just how does Firefox detect domain hijacking, if it doesn't do it the same way as Chrome?

    M.

    1. Anonymous Coward
      Anonymous Coward

      Re: Out of interest then...

      "Firefox’s captive portal test uses delegated namespace probe queries, directing them away from the root servers towards the browser’s infrastructure." - https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/

      1. john.jones.name
        Stop

        DNSSEC validation

        if they validated the DNS response signatures then they could stop doing that...

  3. Number6

    I would like to see browsers have a config option so that they didn't automatically assume a search if they didn't think what I just typed was a resolvable address. If I want to search it's the work of moments to bring up a search engine.

    1. batfastad

      Exactly. What I type in the address bar is what I want to visit... or probably my history will match after the first few letters. Sadly Firefox copied this omnibar-shambles.

      In Firefox if I want to search then I simply ctrl+? (formerly ctrl+k, or whatever search provider and shortcut combo I had created before the search box customisation was borged to become like Chromium).

      1. Pascal

        My absolute worst hated "features" of Chrome is that if you type a 100% legitimate address that happens to be an INTERNAL corporate domain, so does not match a known TLD, it automatically assumes it is a search. It will not even TRY to resolve it at the DNS level.

        so 'myserver.int.domain' triggers a google search. You have to type 'http://myserver.internal.domain' or at the very least 'myserver.internal.domain/' to prevent that behavior.

        Ranks pretty high on the "we think we know better than you what you are trying to do" meter.

        1. The Count Is Dead

          Totally agree

          This is really annonying at where I work (some no name really big tech company).

        2. quxinot Silver badge

          Easy fix.

          Use a better browser. :D

          1. Mike 16 Silver badge

            Better Browser

            Gets you into Catch 22. If you use a browser that does not implement all the misfeatures of Chrome, you will not get the "full experience" of a growing number of websites. OTOH, a website that does not use those misfeatures will be penalized in search results.

            Resistance is Futile! Have a nice day.

            1. Doctor Syntax Silver badge

              Re: Better Browser

              If you use a browser that does not implement all the misfeatures of Chrome, you will not get the "full experience" of a growing number of websites.

              That's not necessarily a bug but a feature. At the very least it enables the worst marketing departments driving the site development to self-identify.

          2. Anonymous Coward
            Anonymous Coward

            At many workplaces, the browser you get is the browser you get.

        3. katrinab Silver badge
          Meh

          I use an actual registered domain for my internal stuff. It also means I can get valid ssl certificates for it, and don't get a load of security warnings.

        4. Anonymous Coward
          Anonymous Coward

          @Pascal - My absolute worst, hated feature is

          Chrome itself.

        5. Anonymous Coward
          Facepalm

          Your second example isn't enough to stop it. An external vendor I work with embeds Zoom meeting links in their Outlook invites. Since they omit the protocol prefix, Chrome throws it at Google search. If some nefarious actor was able to eavesdrop on all Google searches with zoom.com in them, they could easily crash meetings looking for insider information.

      2. Anonymous Coward
        Anonymous Coward

        FF can be set up with a separate search box (it obviously takes up valuable space on your toolbar, but I accept that)

        1. Korev Silver badge

          As (annoyingly) all screens are "wide" these days that's less of a problem than it used to be

    2. Alumoi

      If only you could customize Firefox to show a search box and disable searching from the address bar.

      Oh, wait, you can!

      1. Neil Barnes Silver badge

        Um... apparently not. The option to use a separate search box still - on this machine - does not stop the address bar calling up the default search engine if you type a random word/phrase in it.

        Or have I misunderstood you?

        I would like the address bar to return either a valid web page, or a 404 not found.

        1. Alumoi

          about:config

          keyword.enabled set to false

          You may also play around with urlbar and search.

          Don't forget to restart firefox.

          You can also search for custom css for firefox tweak FF further. (https://github.com/Aris-t2/CustomCSSforFx)

          1. Neil Barnes Silver badge
          2. ghp

            Better hurry: about:config is about:todisappear!

    3. This post has been deleted by its author

  4. prouton

    Which is why

    I avoid NXDomain hijacks entirely by turning off search via the address bar. Using a browser on a wide screen monitor, there's no problem keeping separate address and search fields available at all times. Plus, if I have any doubt about what the domain name is, I do a search on it first and select from the google results that look most legitimate.

    Oh, and I change the DNS servers at the router level away from my ISP's servers.

    1. quxinot Silver badge
      Pint

      Re: Which is why

      I assume the FIRST DNS target is your pi-hole, of course!

      So very worth it. Doesn't need to be a pi, either--just create a pretty spartan VM on any appropriate machine and use that as a local DNS. Shocking how much bandwidth is actually saved this way.

      (Also saved: Patience with irritanting ads--and at the local network level, so it automatically gets the phone, tablet, etc, as well.)

      I detest searching from the address bar. If I wanted to search, I'd search. If I typo, give me a 404 instead of loading some useless and slow-loading nonesensical search screen.

      1. A.P. Veening Silver badge

        Re: Which is why

        I assume the FIRST DNS target is your pi-hole, of course!

        And the second DNS target is my other Pi-Hole, both of which use two Unbounds (each on their own Pi) for further DNS stuff.

    2. katrinab Silver badge
      Alert

      Re: Which is why

      Google search results are one of the most common sources of phishing frauds.

  5. Deadlock

    Read the original

    Probably best to read the actual post as that's where Google have responded in the comments (Peter Kasting's comment). https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/

  6. Gene Cash Silver badge

    OR we could fix the root of the problem

    Can we turn domain hijacking into a privacy issue or something? Something we can sue ISPs over?

    1. Anonymous Coward
      Anonymous Coward

      Re: OR we could fix the root of the problem

      If you're in Europe, it's already illegal

      https://en.wikipedia.org/wiki/DNS_hijacking#Response

      I agree more should be done - such activities should be considered "rogue", and ISPs who do so should be blacklisted from transit in the same way as spamming or otherwise dodgy ISPs often are.

      1. Smooth Newt Silver badge
        Unhappy

        Re: OR we could fix the root of the problem

        If you're in Europe, it's already illegal

        Sadly, I'm in Europe but in the UK where such rights and protections won't exist in a few months.

        1. Anonymous Coward
          Anonymous Coward

          Re: OR we could fix the root of the problem

          Why is the UK government going to repeal the laws already in place?

          The process of leaving the UK will not impact anything already in place - if it did that would have already happened at the end of last January. Going forwards the UK government can repeal laws that it has passed and few new laws will be enacted that follow EU rules and reg changes.

          As for this EU directive very little will change in or out of the EU as the Information Commissioner's Office has not been enforcing the rule anyway. Anyone who wants to stop this type of 'monitoring' has to switch to a service such as google's 8.8.8.8/8.8.4.4 to stop the ISP getting a direct view of what is being requested and encripted DNS to be certain that requests are not being monitored.

          1. Smooth Newt Silver badge
            WTF?

            Re: OR we could fix the root of the problem

            Why is the UK government going to repeal the laws already in place?

            The process of leaving the UK will not impact anything already in place - if it did that would have already happened at the end of last January. Going forwards the UK government can repeal laws that it has passed and few new laws will be enacted that follow EU rules and reg changes.

            Why wouldn't they? There are trade deals etc to be made with all sorts of unpleasant regimes by removing British Citizens' rights.

            Oh, and you clearly haven't noticed that we are in a transition period before we - now more than likely - crash over a cliff on 1 January next year and lose several extremely valuable rights just on day one. Everything changes. It really does change. Do try and keep up. Maybe make a start by googling pictures of black swans.

            1. David Hicklin

              Re: OR we could fix the root of the problem

              Oh, and you clearly haven't noticed that we are in a transition period before we - now more than likely - crash over a cliff on 1 January next year and lose several extremely valuable rights just on day one

              My understanding is that the withdrawal bill that had us "leave" on the 31st Jan 2020 (and then start the transition phase) actually wrote everything from the EU into UK law - once we finish the transition phase (however it turns out) the UK government can then start changing laws and rights.

              1. Smooth Newt Silver badge
                Unhappy

                Re: OR we could fix the root of the problem

                My understanding is that the withdrawal bill that had us "leave" on the 31st Jan 2020 (and then start the transition phase) actually wrote everything from the EU into UK law - once we finish the transition phase (however it turns out) the UK government can then start changing laws and rights.

                Many important rights simply vanish overnight.

                Just to name a few - My right to live, work and retire in EU states, my right to claim medical expenses from EU states that I am visiting, my right to import and export goods between the UK and the EU without paperwork, customs inspections, excise duty or tariffs (or indeed, even to Northern Ireland if I live in Great Britain), my right to have my qualifications recognized in EU member states, my right to drive my car using my UK insurance, my right even to drive it on my UK licence, my right not to be discriminated against by reason of nationality in EU states.

          2. JulieM Silver badge

            Re: OR we could fix the root of the problem

            Why is the UK government going to repeal the laws already in place?
            To ensure a less-unfavourable-sounding trade deal with the USA.

    2. brotherelf

      Re: OR we could fix the root of the problem

      Well we can turn _omnibox_ into a privacy issue, because every single-word search term is apparently handed to your DNS provider as a lookup. (Yes, I know that ironically, the usual privacy complaint is that it all gets handed to the search engine.)

  7. chivo243 Silver badge

    Chromium again?

    No Chromium for my friends at the bar

    I got a bad feeling about this one, keys to the kingdom anyone?

    https://forums.theregister.com/forum/all/2020/08/22/chromium_devs_raw_sockets/

    Is this Google's way of saying we will re-invent the intertubes??

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this Google's way of saying we will re-invent the intertubes??

      too late.

      They have already done that and are reaping the rewards.

      Google is the Internet, Now and for the forseeable Future.

      Get used to it people.

      And we used to decry MS when users thought the IE is 'The Internet'.

      What Inoccent fools we were back then?

      1. jake Silver badge

        Re: Is this Google's way of saying we will re-invent the intertubes??

        "Google is the Internet"

        I categorically reject that statement. At most, go ogle is a largish subset of the insecure festering shithole subset of The Internet called "the web". And they are trivially easy to shun. Try it, you might like it.

      2. DDearborn

        Re: Is this Google's way of saying we will re-invent the intertubes??

        Hmmm

        I will never submit to the terrorists, be they bankers, lawyers, insurance companies or the online variety. Feel free to give up and give in. After all, this is exactly the outcome they are trying to achieve. One can make a stron argument that your comment is in fact a classic example of a shill selling his online wares.....

        So, instead of bending over, it is high time the the people of the world send the likes of google, MS, Face Book et al, their walking papers and take back the internet for all the people instead of operating it as weapon used by chosen few against us...

  8. Chris Hills

    Who cares about domain hijacking any more?

    Websites should use TLS by default now, and if an ISP has been able to get hold of a cert-issuing-cert signed by a CA in the default CTL, this just goes to show that the whole CA ecosystem is broken.

    1. katrinab Silver badge
      Flame

      Re: Who cares about domain hijacking any more?

      Me, because anytime my phone decides to connect to public wifi, I get loads of error messages about an invalid certificate for my mail server.

  9. Anonymous Coward
    Anonymous Coward

    Google on the march

    Chromium is the Internet.

    No one else need apply.

  10. Aussie Doc Bronze badge
    Joke

    Oh.

    They don't fool me - just trying to get me to upgrade from IE6.

    Just in case ------>

  11. mark l 2 Silver badge

    I can see another worry about this behaviour in that you might put in a search term which Chrome looks up the DNS to see if there is a domain name registered for that term, but the domain name might be something you really don't want showing in your ISP DNS look ups for your account as it might look like you have actually visited the site.

    Take for instance your looking at how to identify the sex of a black bird, so you put in 'black bird sex' but Chrome looks up to see if blackbirdsex.com exists and this DNS query will get logged by your ISP. If blackbirdsex.com is registered domain and were perhaps a pr0n site which could be illegal in the country where you lived, that might not be something you want to be associated with in the ISP logs.

  12. tip pc Silver badge

    DNS Over HTTP

    I thought chrome etc where soon to be using DoH.

    DoH to what ever provider the browsers choose will bypass the local dns settings anyway, affording chrome an opportunity to just do lookups against a special google omnibux DoH server reducing root server lookups, preventing eavesdropping & circumventing DNS based controls.

    Wondering why your Pihole stopped working despite nothing wrong with it, that’ll be the browser based DoH.

    1. Anonymous Coward Silver badge
      Boffin

      Re: DNS Over HTTP

      And if the DoH server hasn't got that domain in its cache, what do you think it does?

      It checks its upstream server, which at that level will almost certainly be/require a query to the root.

      The problem is not the browser querying root directly, it's that everything it's looking up requires that the DNS provider queries root (because NXDOMAINs aren't cached, as well as being randomly generated).

      If they checked it with <randomword>.google.com instead, that'd be absolutely fine regardless of protocol - the google.com NS & glue will be cached at all ISPs already.

  13. Doctor Syntax Silver badge

    I'd have thought that by now Google should have a good handle on which servers are run by bar stewards. Minimise the probing to a level needed to keep an eye out for ones ones or changes in existing behaviour. At start-up the browser can then query Google to find out whether its resolver address can be trusted.

  14. Jeffrey Nonken

    "Determining what a browser user wants when the text input is a single word isn't always straightforward – the word could be a search term or a reference to an intranet domain."

    Damned straight. Used to be I'd type in e.g. 192.168.1.1 to connect to my router and Chrome would cheerfully convert it to http://192.168.1.1/, try to resolve the address of that URL, fail, and f**k me over as a result.

    Effing Google.

    They've since fixed that; I no longer have to haul out a different browser just to administer to my router. But damned if that wasn't annoying.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020