4

Noticed an interesting thing whilst debugging one of my websocket applications that Google Chrome will push out 3 http requests upon a network connection status changing;

Quite disconcerting and looks almost as if some malware is checking out to a random server.

I don't quite understand the why though since they all return a 502 or have no response code at all since the destination does not exist.

On Disconnect:

Connection Down

Reconnect:

Connection Up

I guess the main question is this normal and what the use is; howcome they wouldn't go for a dns lookup that actually exists?

cillierscharl
  • 143

2 Answers2

7

As I remember, this is a special feature of Chrome. This feature is used to help to detect if your provider specially process invalid dns entries. chromium bugtracker - latest message

crea7or
  • 949
0

It looks alarming but is apparently normal and intended behaviour in Chrome.

In order to use the address/location bar for searches and not just URLs, Chrome needs to check that the entered text isn't a valid domain before it can treat it as a search term. However, some IPSs serve advertising pages in response to non-existent domains (DNS Hijacking), which would make it appear that every domain exists! To test for this, Chrome will query some random, likely bogus single-word domains and see if they map to the same IP address. If they do, Chrome can assume that the upstream ISP is performing DNS hijacking.

See also Chrome: DNS requests with random DNS names: malware?, Chromium issue 47262

screwtop
  • 103