Chromium's "omnibox" feature accounts for 50% of all DNS root queries - about 60 billion a day
In a recent blog post on APNIC, Verisign Principal Engineer Matt Thomas has written about how just a few lines of code in Chromium - the foundation for not only Google’s Chrome but also Microsoft Edge, Opera, Amazon Silk, and Brave, all of which account for about 70% of all browsers used today has affected the root DNS servers.
The "omnibox" feature makes up an estimated whopping 60 billion DNS queries a day, about half of all DNS root queries.
In almost any other scenario, this traffic would be indistinguishable from a distributed denial of service (DDoS) attack.
Chromium has a feature, known as the omnibox in which users can use a single input box to enter all sorts of requests such as a search query, website names and of course full URL's. The problem arises where the user may enter a single word term which could be interpreted as a search query or an Intranet address. For example, should "dns" perform a search query for the term "dns" or navigate to the page "http://dns/"?
This in itself first seems easy, the browser could in the background check to see if a DNS record can be resolved for the hostname or not. If it does, then navigate to the site or if not then perform a search. However, some networks or DNS servers provide a feature in which they fall back to a default address for all non-existent domains, and provide their own page that attempts to provide the user suggestion.
This is where the "Intranet Redirect Detector" comes in to play. The way it works is that it generates random hostnames such as "rociwefoie" each time the browser is started or DNS related system changes are detected. Three of these such hostnames are resolved by a DNS lookup and the results compared. If any two of the results match the same address, then the browser assumes that a redirector is in place so any time this address is resolved, it can be assumed as a redirect response and not a real Intranet site.
Digging into the source code explains the feature as below:
This component sends requests to three randomly generated, and thus likely nonexistent, hostnames. If at least two redirect to the same hostname, this suggests the ISP is hijacking NXDOMAIN, and the omnibox should treat similar redirected navigations as 'failed' when deciding whether to prompt the user with a 'did you mean to navigate' infobar for certain search inputs.
The article goes into details breaking down the likelihood of all queries of which they suspect are due to this feature by comparing them against what the code would generate, comparing it over time to the market share of Chromium based browsers as well as how the feature has evolved over time.
It is a very interesting read and incredible how such a small feature that so many of us use each day has such a large impact. For all the details, with more technical details be sure to check out the full article at APNIC.