June 9, 2020
UTC timezone

Intranet Redirect Detector or Pseudo Random Subdomain Attack?

Jun 9, 2020, 7:10 PM
Standard Presentation Online Workshop


Duane Wessels (Verisign)


DNS query traffic received by root name servers include a significant amount of queries for random, single-label strings. These first appeared in 2011 and are attributed to a function in the Chrome browser source code, whose purpose is to detect NXDOMAIN "hijacking."

In this presentation we show how the volume of these probe queries from Chrome have grown over time and now comprises nearly 50% of root server query traffic. We further show how the query patterns have changed over time, and that these queries can expose domain search list processing by resolvers.

Talk Duration 20 minutes
Your consent for us to publish your name and<br />affiliation as a Speaker on the OARC (online) 32a website Yes

Primary author

Duane Wessels (Verisign)


Matthew Thomas (Verisign)

Presentation materials