Weird DNS queries

I have appended the DNS suffix on my computer, however, Comodo Dragon looks like it is sending out randomized data in the form of a DNS query. After opening the web browser, it will precache the DNS for the thumbs, and then after about five seconds, it will send out three DNS queries. Oh, by the way, Google Chrome does this as well. The most recent previous version of Comodo Dragon did not do this.

I have looked into doing several things, such as running my own internal DNS server, along with other solutions, but they are all somewhat cost prohibitive.

I viewed the DNS queries in Colasoft Capsa.

All of the DNS queries fail.I have changed DNS servers (from 8.8.4.4 to 208.67.220.220 – Google to OpenDNS) and tried other DNS providers, for example my ISP DNS. None of these look like the problem.

I considered doing one other thing, which is running a free DNS internally, then putting the domain suffix in blackhole, but I do not think this will solve the problem.

Why did this start? Yes, I posted this elsewhere as a malware hunt. I have no idea what is going on.

I am somewhat computer literate, but if you want to give it to me “from the top”, feel free.

Win7 x64
Home Premium
Side by side with Chrome
UAC at default
“C:\Program Files (x86)\Comodo\Dragon\dragon.exe” 16.1.1.0
Standard and administrator user
most recent update to Chrome (16.0.912.63)

I looked around because I was also seeing wpad requests - I have not rebooted - but I still see these ‘malformed’ DNS queries.

Hi,

It is a Chromium feature. Such requests are sent on the browser startup to support the OmniBox functionality.

Thank you for feedback!

The third (3) post from this topic has been moved, please read the reply post before you post again.

Thank you

Dennis

This topic has been moved to Forum Policy Violation Board.

That does not make sense at all.

  1. The DNS prefetch for thumbnails happening is enough to support omnibox functionality.
  2. It looks like some kind of denial of service attack (and if my ISP contacts me about it, I will refer them to this thread)

I could go on, but I suspect I am being lied to. You will find no weakness here.

Chromium considers everything typed into Omnibox is ether URL, host name or search request.
URLs are easy to distinguish, but with the other two there are caveats.
If there is a dot in text and no spaces it is considered as host name.
But what if user want to contact local server using it’s relative name only?
So before performing search request, Chromium tries to resolve text as a host name, if it is resolved - contact it on webservice ports. And only if that fails sends the text to the search engine.

But there are ISPs who do same thing in their DNS - they redirect users who typed incorrect host names to some webservice with websearch results or spelling corrections.
Chromium tries to detect such DNSes because they prevent omnibox to function properly.

To detect it, Chromium generates few random local hostnames on startup and tries to resolve them and contact by HTTP. If 3XX redirect is received in a reply, it saves redirection URL. Then it tries to extract pattern from those URLs and if it can do so, it uses that pattern to find such redirects in future and show omnibox search results instead of them.

Accepted, but I type NOTHING. This happens by OPENING the program and NOTHING ELSE.

It makes more sense query known working URLs. Doing DNS requests on known NON-WORKING DNS entries makes little if no sense to me what-so-ever. I would like THAT explained to me, because otherwise, it looks like you are trying to make me do something I would never knowingly do. I also want to ask why those DNS requests would be generated for hostnames within my ISP. The change I made to my DNS suffix modifies those requests, making them go nowhere an hundred-fold beyond what they were already.

Why not have this “functionality” do a DNS request on Comodos own server, along with google, and sw-iron?

Or some other site known to have co-location or some other factor which makes it have a high reliability (e.g. uptime)?

This is why I say this “feature” is either a BUG or some kind of intentional malware. If I see attempted connections that make sense, then I wouldn’t be inclined to ask questions like I have asked.

Thank you for saying it is a part of Chrome / Dragon / SW-Iron. Now I know it is not an attached process e.g external malware.

I am asking for this feature to be removed or re-worked, because it looks (to me and others) like a denial of service attack, even if weak and accomplishing nothing.

Oh and one more thing. I do not understand why that code would be activated unless I am connecting to hostnames in that specific Chromium build (for example, in Dragon). If I NEVER connect to a hostname within my own ISP netblock (not in history, not in downloads, not in any other record of the browser being used) then why would it ever make those DNS queries? If I never use the “feature” then it seems this is a way to streamline the browser, along with its memory usage, etc.

Thanks.

Anyhow, you guys do what you like. I have modified the DNS suffix in TCP/IP properties to 71172 characters, and “broke” this unwanted “feature”. Had to do it in Regedit, but I’ve accomplished it.

No more weirdness here :a0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters]

Modify “SearchList” to eradicate this if you have no need for this feature. 71172 characters long eradicates it.

Have a great day.

kinda techy, have you already posted about this issue under another username somewhere? I’m currently not sure how you’re reaching the conclusions that you have… based on what you’ve said and what Mihai Vasilache has said to you.

Accusations of lying, malware distribution and DoS attacks… really? That is a fairly serious set of allegations there. I’m assuming you have evidence to support this?

Can I see the packet sniffer output (PCAP file) from where these 3 DNS queries are happing? You mentioned that the source code lead you to some of this? Citations & references would be good please. Was this Dragon’s source code?

Do you have any add-ons installed with Dragon?

No Sir, I do not have a second username here, except kinda techy 2, which did not receive an activation email.

With regard to accusations of malware, I did note carefully that my concern was with regard to external malware, not internal.
With regard to accusations of denial of service attacks, I feel the program could be improved to prevent even the thought of such a thing being included or exploited, and should be a concern of Comodo, seeing as how the company states it is the most secure browser.

I am not allowing those connections again, and I do have a screen capture of those events, which I think is enough, but if you insist on a raw packet file, I will get one and post it publicly. I would only do so when I can ensure the packet file does not require sanitizing.

With regard to the source code, there are two files that cause me to have concerns which might appear to be outside the realm of programming, yet I am steadfast in my opinion of what they are, what they do, and what a result might be from those files. I will not go off topic in this forum, but I will be open to discussion on that with programmers who are able to understand my concerns and would be willing to make the necessary adjustments.

The source in question is the Chrome source, which is currently 1.2 GB from the dev chromium group site. I am on a somewhat fast connection, so it took less than an hour or so to download and extract the files.

I will state this rather openly - when I state that someone might be lying in an attempt to find weakness, you might want to consider that my question is valid and I will not have my concern - which is legitimate - be silenced, quashed, or withheld in any manner if the statements by others are inspired by anything other than the effort to keep the internet safe.

I take this matter very seriously. I do not like my computer being used in a way that I do not understand and I have had computers as a hobby since 1994. I did not fall off the pumpkin truck yesterday. It is my steadfast belief the code in question should either be something that is only enabled when it is called - with the intent of the user at the terminal the program is installed on - and to be unloaded if not being used. I would also :love: it if I could get a checkbox I can untick to completely disable this feature that I do not want, do not need, and have no use for.

I could go on about my personal network here, how I have certain things set up, etc, but I see no need to tell you I know what UNC actually stands for, or anything else. Yes, without searching the internet or a book for the answer.

I will also - because it was mentioned previously - ask why a hostname on my netblock would be queried when I use google / comodo / OpenDNS? Yes, my ISP has a search page. I guess you had no idea I can’t stand it and get very inspired to change my DNS when I see it. I kinda view it as a blessing in disguise :wink:

No sir, I have no add-ons. Its bare as can be. I did have AdBlock Plus installed before I got rid of the entire %folder% Dragon was installed in previously. I do not see how blocking advertisements would initiate random hostname queries but I also want to mention I have installed Chrome, Dragon, Iron - again - after removing everything associated with them, using (you guessed it) the Comodo Programs Manager. It even got rid of stuff Windows thinks I want to hang on to.

I even went so far as to reinstall my OS, and all my regularly used programs. The OEM defaults to Chrome 7.something (didnt bother to write it down, sorry!) but after simply updating Chrome to the latest version (did that yesterday) those DNS requests appear right afterwards.

To be so very honest with you, I know of several exploit packs being available, however, I do not use them. I downloaded one about a year ago, just kinda poking around. Being aware of them, I do realize this might be something that is being actively exploited, and if so, I have no idea who it might be.

edited for clarity and completeness

Firstly, I’m actually posting here in response to the Report to Moderator alert that you raised.

Sorry, I do not insist on the raw packets… I merely assumed that you already had them because you called the DNS queries malformed. So, I guess now that was a turn-of-phrase rather than the DNS query packets were actually malformed in some way. But, I’m not totally certain, as you also seem to be concerned that the DNS query packets would need to be sanitized before you would let me see them. Can you clarify this for me?

I have no problems reading all types of different source code. But, my interest here was merely what concerned and alarmed yourself… rather than anything else specific. I cannot help unless I understand. :slight_smile:

Openness. Do you feel that there has been an attempt to silence, quash or withhold something from you? Can you give me specific examples?

Lying in an attempt to find weakness? No where in Mihai Vasilache’s first reply does it give any indication that is what he’s doing. I’m not sure why you would assume that. But, if you’re wondering why your post was removed to our Forum Violation board, your are obligated to obey the forums policy and it clearly states that you must show respect to other members and Comodo staff. Calling someone a liar based on an eighteen word reply is, at best, unwarranted and certainly disrespectful. In my opinion, it probably would have been better to assume that he hadn’t understood what you meant in the first instance.

What is the feature you would to be able to disable? The OmniBox functionality? I thought you had rejected that notion as a possible cause here. Sorry, I may have this confused.

On seeing the picture you gave me access to by PM I can certainly see why this might cause some concern. It might be a good idea to also let Mihai Vasilache see it as well. He’s almost certainly basing his response on your description alone currently and given the way he initially responded, it’s quite likely that he has answered this exact question more than once previously. But, the image may help in clarification… and he could also then respond to some of your concerns… if you actually let him (ie. by not accusing him of lying). :wink:

Your reply is appreciated. Thank you.

Raw packet files would be the only way I can submit to you the DNS queries. If I stay true to my word, then I would need to ensure my IP / hostname / netblock is not shared with the entire planet. Thus, sanitizing.

The files in question I will not reveal publicly, for reasons I will not state here. As I said, I am very willing to give the programmers my opinion of what they do, and let them decide for their selves.

As far as saying I was lied to, I will apologize to Mahai for the accusation, however, simply saying it is a feature when I have bothered to type as much as I did - including that I am investing a lot of time in a malware hunt on my own system (and a bit miffed at the fact I reinstalled my OS trying to get rid of whatever it is) - without further explanation (not even a link to a page explaining omnibox, Omnibox for the uninitiated) … Do I really need to say more? Yes, I looked into it, but I still hold the opinion this specific “feature” is bothersome. I’ll go into that more at the end of my post.

I’m glad you saw I had reason for concern. It looked like random attempts to connect to other computers, I do not want to take it upon myself to do a lot of netstat / robtex / nslookup to find that none of the DNS requests go anywhere. I had really hoped for a bit more than “its a feature” to be the reply.

With regard to the specific feature I would like disabled, it is the DNS queries to hostnames on my ISP. There are several servers I can think of looking for UNC pathways, nearby hostnames, etc. I strongly believe this task can be accomplished without random hostnames being generated, and am asking for a way to be found that reduces the chances of someone somewhat technically proficient having any concern about what is happening, if they happen to go digging in log files.

You do not have to add this feature of being able to disable localized hostname lookup. As I stated, I have used regedit and a .reg registry file to accomplish the deactivation of this “feature” because I do not desire it to work at all on my system. Thus, I have a 70000+ character “SearchList” registry entry. This disabled the functionality of the feature, and has not hindered in any way other functions within any of my Chrome builds currently installed.