"Chrome also tries to find out if someone is messing up with the DNS (i.e. “nasty” ISPs that have wildcard DNS servers to catch all domains). Chrome does this by issuing 3 DNS requests to randomly generated domain names,"
I have a question. Why would wilcard domains be 'nasty'? It's not that unusual, is it? Would Google discourage this?
I can imagine that a site uses wildcard domains to differentiate in the content it should serve, for example a blog provider: john.bloggo.com, luyt.bloggo.com, johndoe.bloggo.com etc... You wouldn't want to put a few thousand customer names in your DNS tables, instead use *.bloggo.com and let the webapp interpret the subdomain name.
Or in the case of some development server, ftp.domain.com, svn.domain.com, git.domain.com and www.domain.com maybe all should resolve to the same IP and find the corresponding service on that machine. If the admin were to add another service, say SMTP, he could just install a mailer on port 25 and he wouldn't have to adjust the DNS.
Yes, I think so. When ISPs wildcard all domains, I think the typical reason is so that when you've typed an invalid name, they return a page with search results guessing at your intent. If I'm right (I might not be), then Google has plenty of incentive to stop that from happening, or at least know that it is happening.
First, those pages with search results are often ugly, full of ads, poorly formatted, etc. Google would like you to have a nice experience in Chrome so that you're a happy user. If you see an ugly, messy ad-ridden page (especially if the ads aren't Google ads) every time you make a typing mistake, Google loses out.
There are probably other more subtle and nuanced reasons that Google would dislike that practice, but I'm not really sure of specifics. (In fact, I'm not entirely sure that DNS wildcarding is even related to those ISP search pages...but I think it is.)
Also, if the ISP is answering every DNS query with "yes this is a valid domain" it breaks Chrome's domain discovery feature, described a bit further down the SANS article.
I don't think that DNS wildcarding has anything to do with it. They just set up their DNS server to return their own address instead of NXDOMAIN when the domain doesn't exist:
I have a question. Why would wilcard domains be 'nasty'?
It's not that unusual, is it? Would Google discourage this?
You're thinking of wildcard subdomains, where a [[domain.com]]'s naming servers are configured so *.domain.com resolves.
Google is taking action against wildcard domains, where the nameserver resolves every domain to some IP. Valid domains are (usually) resolved to the correct IP, invalid domains are resolved to the ISP's ad-laden search page.
exactly. it's as if your phone company were to reroute calls to non-existent numbers to toll number instead of the usual intercept message "the number you dialed is not in service." the catchall search/ads page wastes way more bandwidth and DNS lookups than NXDOMAIN.
Hmmm.... maybe I should change my setup then, and somehow fill the DNS server with names from the database, instead of relying on a wildcard. Thanks for the insight!
I think you're still misinterpreting it a little bit. Google won't penalize you for using wildcards on your domain. They only look for ISPs that use wildcards as a "catch all" to show their branded search page.
Have a look at this scenario. This scenario has nothing to do with Google or Chrome (yet).
Assume: User is using their ISP's DNS service, and the ISP uses DNS wildcards to redirect users to a branded search page.
1) User types notifyo.com in to a web browser; a misspelling of notifo.com
2) ISP DNS finds no match for notifyo.com upstream, so returns their own web server's ip
3) User is shown a web page with search results when they really wanted a specific website
ISP's do this by specifying wild cards at the TLD level. This means .com, .net, .org, etc will all return the IP of their search servers if nothing else matches.
Google Chrome checks for these wildcards only. It does not check for wildcards on your domain. For example, Google Chrome would not find, nor object to .notifyo.com.
Personally, I find the use of wildcards at the TLD level to be flat out offensive. It's a break in the basic protocols of the internet. If a website doesn't exist, I need to know. I don't want a search page, I want an error that reflects the status of the domain I have attempted to visit. That's why I use the 4.2.2.x DNS servers.
Wildcard domains (*.bloggo.com) aren't nasty. Wildcard DNS servers are. They inject domain name data into zones owned by other entities; if you type news.ycombinator.com, you get this server, but nwes.ycombinator.com gives me a JS redirect to www.ayudaenlabusqueda.com.ar/?query=nwes.
This is what I gathered from the article, that it is looking for evidence of malware injecting itself between your browser and the DNS lookup, or poorly configured DNS servers doing similar.
On a similar thread, Googlebot will often request a page that it can safely assume will 404, like example.com/noexist_d6956f303b25361a.html, just to make sure that non existant pages actually return a 404 instead of a 301 to a page with dynamically generated content based on the request name.
This is interesting news. My use case is indeed having many subdomains together with a wildcard DNS like '*.somesite.com', and I'm not designing some nefarious plot to redirect 'notexistant.somesite.com' to an ad-serving site. Instead, a page saying 'this subdomain can't be found', together with a registration form, would be shown.
(Speculation mode on) Would Google penalize this setup with a lower Pagerank?
"Chrome automatically tries to determine if the user typed in a domain and tries to resolve it in the background."
When I first switched my windows ipv4 dns settings to use opennic i noticed:
chrome knows that a string typed into the address bar (one that isn't already eventually found in history or typed before) that ends with any normal suffix .com .uk etc. is a url, instead of just a query to be sent to the default search engine.
but it doesn't know what to do with strings that have opennic only suffixes like .free on them.
unless i make it clear that i am typing a url and not a query, by putting http:// on the front, it doesn't know that it is a url, because it has the non-standard .free or something on the end.
typing example.free or www.example.free for the first time just sends it to the search engine. so it seems chrome only knows/validates the official dns suffixes.
i rechecked this with dns prefetching off and with it on.
in either case, anything with a standard tld puts the url as the top/selected result on the pulldown, with "send as a query to search" as the second possibility.
but if I have prefetching ON (which I didn't when I first encountered the issue) the prefetching finds non-standard domains (eg register.fur, register.ing) and their servers and homepage titles but the option to treat them as a url and just go to the page appears below the default option to treat them as a search in the pulldown, so just typing them in and pressing enter still sends them to search.
whether that is a big deal is up to you. it seems silly that something.suffix is not treated as a url when the prefetcher has already found it.
I noticed the random DNS requests the other day when I had to tunnel my traffic over ssh from the local library, but didn't think to figure out what the requests were. Interesting that this article shows up now.
You're right, the application was (apparently) refused. I remember seeing it go by and thinking 'wow, that's a really neat TLD', but never heard from it afterwards. Now I know why :)
Chrome should stick to its true nature, do one thing well, and leave the DNS stuff (refetch after..., the weird anti-nasty system explained in the post) to a DNS cache daemon. Google could include one in Chrome OS, and don't turn Chrome (the browser) into a big pile of bloat.
Anti-nasty system, maybe. The prefetching thing can't possibly be implemented by the DNS cache daemon because it doesn't know what the user is currently typing.
I was speaking about the fact that Chrome also re-fetch some of the (most used) DNS entries in the background when they are about to expire (like they do for the DNS "8.8.8.8" servers).
I agree that prefetching however can't be done by a DNS cache program.
So instead of shipping one executable with code X + Y they should ship two executables: one with code X + one with Y + Z, increasing the overall complexity of what they ship and adding the inevitable "bloat" which would come from extracting DNS code into a deamon and additional code to communicate between Chrome and that deamon (the Z part).
That doesn't sound like a sound engineering practice.
No. They give them a competitive advantage over other OSes by offering a faster Internet experience on ChromeOS. They stick with classic DNS resolving on Chrome the browser, no matter the plateform.
The complexity and bloat is having Chrome, Firefox, Opera copying DNS cache features and not gathering their knowledge together in this area.
I have a question. Why would wilcard domains be 'nasty'? It's not that unusual, is it? Would Google discourage this?
I can imagine that a site uses wildcard domains to differentiate in the content it should serve, for example a blog provider: john.bloggo.com, luyt.bloggo.com, johndoe.bloggo.com etc... You wouldn't want to put a few thousand customer names in your DNS tables, instead use *.bloggo.com and let the webapp interpret the subdomain name.
Or in the case of some development server, ftp.domain.com, svn.domain.com, git.domain.com and www.domain.com maybe all should resolve to the same IP and find the corresponding service on that machine. If the admin were to add another service, say SMTP, he could just install a mailer on port 25 and he wouldn't have to adjust the DNS.