Chromium DNS hijacking detection accounts for about half of all major queries


dns-hijacking-chrome-root-servers.png

Image: Matthew Thomas

In an attempt to detect whether a network will hack DNS queries, Google’s Chrome browser and its Chromium-based brothers randomly push three domain names between 7 and 15 characters to test, and if the response of two domains the same IP returns, then the browser will assume that the network is not accepting and redirecting existing domain requests.

This test is completed at startup, and when the IP or DNS settings of a device change.

Because of the way DNS servers pass locally unknown domain servers to more authoritative name servers, the random domains that Chrome uses find their way to the root DNS servers, and according to Verisign chief engineer at CSO applied research division Matthew Thomas, those questions form the half of all queries to the root servers.

Data presented by Thomas showed that as Chrome’s brand increased after the feature was introduced in 2010, questions consistent with the pattern used by Chrome increased.

“In the 10-plus years since the feature was added, we now find that half of the DNS root server traffic is very likely due to the Chromium probes,” Thomas said in an APNIC blog post . “That equates to about 60 billion queries to the root server system on a typical day.”

Thomas added that half of the DNS traffic from the root servers is used to support a single browser function, and with DNS interception “certainly the exception instead of the standard”, the traffic would be a widespread attack on service expansion be in a different scenario.

Earlier this month, Sans Institute dean of research Johannes Ullrich looked at how much of the world 2.7 million authoritative name servers it would take to turn off 80% of the Internet.

“It only takes 2,302 name servers or about 0.084%!” Ullrich wrote.

“0.35% of server servers are responsible for 90% of all domain names.”

Ullrich found that GoDaddy was responsible for 94.5 million records, Google Domains had 20 million, the trio of dns.com, hichina, and IONOS each had 15.6 million, while Cloudflare had 13.8 million records.

“Using a cloud-based DNS service is simple and often more reliable than running your name server. But this large concentration of name services with few entities increases the risk to the infrastructure substantially,” he said.

To reduce the risk of a supply chain making parts of the Internet accessible, Ullrich said people should run secondary name servers in their own homes, making sure they use more than one DNS provider.

Telstra provided an example of how a DNS failure might appear as an Internet outage to users, in which case the telco has successfully carried out a denial of counterattack on its own.

“The massive message storm presented as a denial of service cyber attack has been investigated by our security teams and we now believe it was not malicious but a matter of Domain Name Server,” the telco said earlier this month .

Last month, Cloudflare provided a similar example on a much larger scale.

Related coverage