A feature in the open source project Chromium, which forms the foundation for Google Chrome, Microsoft Edge and several other web browsers, is causing some serious problems online.
Chromium’s Intranet Redirect Detector is designed to detect if a user’s ISP is hijacking non-existent domain results also known as NXDOMAIN hijacking. To do this, it makes spurious queries for random “domains” statistically unlikely to exist. At the same time though, the Intranet Redirect Detector is responsible for almost half of the total traffic the world’s root domain name servers (DNS) receive.
In order to detect whether or not a network will hijack DNS queries, all Chromium-based browsers randomly conjure up three domain names between 7 and 15 characters for testing on startup and every time a device’s IP or DNS settings change. If the response of two domains returns the same IP address, then a browser will believe that a network is capturing and redirecting nonexistent domain requests.
Verisign engineer Matt Thomas provided further insight on how the Intranet Redirect Detector has increased Chrome’s market share since it was first introduced in 2010 in a blog post, saying:
“There were some false positive Chromium-like queries observed in the DITL data before the introduction of the feature, comprising about 1% of the total traffic, but in the 10+ years since the feature was added, we now find that half of the DNS root server traffic is very likely due to Chromium’s probes. That equates to about 60 billion queries to the root server system on a typical day.”
NXDOMAIN hijacking
When a user mistypes a domain name in their browser, their ISP could use a DNS hijack to send them to one of its own portals as opposed to the site they were originally trying to navigate to.
At its launch, Chromium’s creators included a new feature in their browser known as omnibox that allowed users to use the address bar to navigate to sites or to perform a search. The problem with this is the fact that many organizations use unadorned domain names on their intranets so that staff can use single-word names to reach their organization’s internal corporate servers.
Chromium checks to see if any search term entered in the address bar also works as a domain name so that it won’t accidentally prevent users from accessing servers on their intranet. However, if someone is using an ISP with DNS servers that do perform NXDOMAIN hijacking, then every domain name tried by a user will seem to exist and Chromium will be unable to tell whether something is a search term or a domain name.
Chromium’s programmers then designed their Intranet Redirect Detector feature to help them decide whether to enable their omnibox feature in the browser’s address bar.
Thankfully there is now an open bug in the Chromium project requesting that this feature be disabled by default in order to resolve this issue. We’ll have to wait and see but doing this would prevent the world’s root DNS servers from dealing with 60bn unnecessary queries each day.
Via Ars Technica
