"This happens when using Chrome-based browsers. Chrome tries to find out if someone is messing up with the DNS (i.e. wildcard DNS servers to catch all domains). Chrome does this by issuing DNS requests to randomly generated domain names with between 7 and 15 characters
"In a normal setup this results in a “No such name” response from your DNS server. If the DNS server you use has a wildcard setup, each of these requests will result in a response (which is normally even the same) so Chrome knows that there is someone messing around with DNS responses."
So, Chrome checks to see if you're doing DNS adblocking. Fuckin' Google.
@drwho to be honest, they only do that because scummy ISPs are even worse and hijack the search traffic.
...which they want for themselves, so back to "fuck'em", I guess.
@drwho I don't think pi-hole does return answers for those? The FAQ seems to just be explaining why they show up in its log.
@freakazoid The Pi-Hole doesn't. It should return an NXDOMAIN. Chrome is treating it as "The local DNS can't be trusted, so I'll start using Google's DNSes," which means it's collecting net.activity. Coupled with their breaking the knees of adblocking with Manifest v3, and...
Fuck. Hang on, quick game of Gunshots or Fireworks.,
@drwho That's not what Chrome is doing. It's not detecting adblockers, it's detecting ISPs that redirect typo'd domains to ads.
@easrng Fingerprinting the responses is the first thing that comes to mind.
Depending on whether or not I can resuscitate Cloudbuster, my next home project is setting up a Pi-hole so I'll be able to test this hypothesis.
If I was them I'd go a little bit farther in detecting threats to my revenue stream, but going farther than I need to is kind of my jam.
@drwho There's no difference in behavior between Google's DNS and adblocking DNS for nonexistent names: https://www.diffchecker.com/FdtsLGwo
Here's what it looks like when there is hijacking: https://www.diffchecker.com/olaupX6a
Here's the Chromium code responsible for the checks: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/intranet_redirect_detector.cc;l=107
on a tangent re: what level3 does with NXDOMAIN responses
@drwho The IP returns a page (https://paste.debian.net/plain/1253678) which redirects to http://searchguide.level3.com/search/?q=http://doesntexistajbehsjdhw&r=&t=0&akaCid=aaaaaaaa&bc= which has whitelabeled yahoo search results and maybe ads.
A bunch of technomancers in the fediverse. This arcology is for all who wash up upon it's digital shore.