Issue 181671 in chromium: Create a policy to disable DNS-hijack checks in enterprise
128 views
Skip to first unread message
chro...@googlecode.com
Mar 11, 2013, 5:47:19 PM3/11/13
to chromi...@chromium.org
Status: Untriaged
Owner: ----
CC: apps-tse...@chromium.org, mnis...@chromium.org
Labels: Type-Feature Pri-2 Cr-Internals-Network-DNS Enterprise
Hotlist-Enterprise
New issue 181671 by roy...@chromium.org: Create a policy to disable
DNS-hijack checks in enterprise
http://code.google.com/p/chromium/issues/detail?id=181671
Customer is requesting that there be a policy to disable DNS hijack checks.
(which is done by sending random DNS queries to see if anyone resolves it)
Use case: Chrome's use of random hostnames may be triggering a
system/networking bug which is documented here crbug/174242. This is
impacting other infrastructure on the network. Customer wants a way to
disable it while they investigate this issue. If no option is provided they
may have to abandon the use of chrome.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
CC: apps-tse...@chromium.org, mnis...@chromium.org
Labels: Type-Feature Pri-2 Cr-Internals-Network-DNS Enterprise
Hotlist-Enterprise
New issue 181671 by roy...@chromium.org: Create a policy to disable
DNS-hijack checks in enterprise
http://code.google.com/p/chromium/issues/detail?id=181671
Customer is requesting that there be a policy to disable DNS hijack checks.
(which is done by sending random DNS queries to see if anyone resolves it)
Use case: Chrome's use of random hostnames may be triggering a
system/networking bug which is documented here crbug/174242. This is
impacting other infrastructure on the network. Customer wants a way to
disable it while they investigate this issue. If no option is provided they
may have to abandon the use of chrome.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
chro...@googlecode.com
Mar 11, 2013, 5:56:19 PM3/11/13
to chromi...@chromium.org
Updates:
Labels: Cr-UI-Browser-Omnibox
Comment #1 on issue 181671 by mme...@chromium.org: Create a policy to
I don't believe this is actually part of the network stack. It's a feature
of the omnibox, which uses that information in its suggestions.
Labels: Cr-UI-Browser-Omnibox
Comment #1 on issue 181671 by mme...@chromium.org: Create a policy to
I don't believe this is actually part of the network stack. It's a feature
of the omnibox, which uses that information in its suggestions.
chro...@googlecode.com
Mar 11, 2013, 6:11:19 PM3/11/13
to chromi...@chromium.org
Updates:
Cc: pkas...@chromium.org
Comment #2 on issue 181671 by j...@chromium.org: Create a policy to disable
(No comment was entered for this change.)
Cc: pkas...@chromium.org
Comment #2 on issue 181671 by j...@chromium.org: Create a policy to disable
(No comment was entered for this change.)
chro...@googlecode.com
Mar 11, 2013, 6:13:19 PM3/11/13
to chromi...@chromium.org
Comment #3 on issue 181671 by pkas...@chromium.org: Create a policy to
There is a switch that will disable these pings, along with some other
network traffic the frontend does (meaning, do not use this switch
long-term): --disable-background-networking.
Does this suffice? I'm loathe to create a policy to cover these pings
directly as this functionality is really low-level stuff.
chro...@googlecode.com
Mar 11, 2013, 6:15:19 PM3/11/13
to chromi...@chromium.org
Comment #4 on issue 181671 by roy...@google.com: Create a policy to disable
I'll check if the customer can try this. Its easier to deploy a GPO, but
may be they have some way to customer launch shortcuts.
chro...@googlecode.com
Mar 11, 2013, 6:22:19 PM3/11/13
to chromi...@chromium.org
Comment #5 on issue 181671 by roy...@google.com: Create a policy to disable
DNS-hijack checks in enterprise
http://code.google.com/p/chromium/issues/detail?id=181671
I'll check if the customer can try this. Its easier to deploy a GPO, but
may be they have some way to customize launch shortcuts.
http://code.google.com/p/chromium/issues/detail?id=181671
I'll check if the customer can try this. Its easier to deploy a GPO, but
chro...@googlecode.com
Aug 15, 2013, 10:50:46 AM8/15/13
to chromi...@chromium.org
Comment #8 on issue 181671 by thomas.p...@gmail.com: Create a policy to
The DNS Hijack check triggers NXDOMAIN errors that create false positives
from a security perspective when looking for hosts infected with
malware/botnets using DGAs. Is there something specific about the DNS check
that I can use to exclude these checks from DGA security monitoring?
chro...@googlecode.com
Aug 15, 2013, 2:13:37 PM8/15/13
to chromi...@chromium.org
Comment #9 on issue 181671 by pkas...@chromium.org: Create a policy to
The hosts are always ten alphabetic characters, IIRC.
chro...@googlecode.com
Aug 16, 2013, 10:51:47 AM8/16/13
to chromi...@chromium.org
Comment #10 on issue 181671 by thomas.p...@gmail.com: Create a policy to
So any botnet author utilizing a DGA only has to generate 10 alphabetic
characters now to mimic Chrome's DNS Hijacking check.
I wonder if there is a different approach Chrome can take without
intentionally attempting to generate DNS errors.
chro...@googlecode.com
Aug 16, 2013, 5:39:40 PM8/16/13
to chromi...@chromium.org
Comment #11 on issue 181671 by pkas...@chromium.org: Create a policy to
I get the impression you'd have been upset if I said "no, there's no
pattern", but you don't like that there is a pattern, either.
If so, then I don't know how Chrome could operate in a more pleasing
fashion while still detecting DNS hijacking, but I'm certainly willing to
entertain alternative suggestions.
chro...@googlecode.com
Oct 14, 2015, 4:57:57 PM10/14/15
to chromi...@chromium.org
Comment #12 on issue 181671 by gespenst...@gmail.com: Create a policy to
disable DNS-hijack checks in enterprise
https://code.google.com/p/chromium/issues/detail?id=181671
I believe this is still not resolved and there's no mechanism in place to
control this Chrome's behavior. I'd like to up this so an option to disable
DNS hijack check is added, it is a go/no-go issue regarding possible use of
Chrome in enterprise environment.
chro...@googlecode.com
Oct 14, 2015, 7:59:50 PM10/14/15
to chromi...@chromium.org
Comment #14 on issue 181671 by gespenst...@gmail.com: Create a policy to
disable DNS-hijack checks in enterprise
https://code.google.com/p/chromium/issues/detail?id=181671
@13: saw that, it's a limited option because a) other functionality gets
dropped b) there's no easy and robust way to configure and enforce it
enterprise wide.
What topic starter, I suppose, wanted to see is introducing an option (not
a command-line) to disable it and changes to Chrome group policy allowing
it to be configured via GP.
chro...@googlecode.com
Oct 14, 2015, 8:22:52 PM10/14/15
to chromi...@chromium.org
Comment #15 on issue 181671 by pkas...@chromium.org: Create a policy to
Per comments 3 and 6, I'm not willing to add any such policy currently.
If you'd like to tell me what's problematic about the current behavior I'm
happy to attempt to work with you to find an alternated solution. But
adding an override for this is not something I think is best.
chro...@googlecode.com
Oct 14, 2015, 11:01:08 PM10/14/15
to chromi...@chromium.org
Comment #16 on issue 181671 by gespenst...@gmail.com: Create a policy to
Same as for thomas, it triggers our IDS/breach detection tools.
Random-looking DNS is otherwise pretty robust way to detect malware
attempting to communicate back to command & control and DL malicious
payload and/or newer versions/attacking modules for lateral movement.
I totally understand that it can be a PITA to change complicated and
low-level code for this, seemingly minor incident that most end users don't
complain about (because of, well, being end users), but in enterprise it is
a major PITA for us, security guys, to have users who use Chrome.
What we currently do is we tune random-looking DNS indicator to not produce
alerts if there aren't "too many" queries, but fact is, it makes us blind
to malware that's not too arrogant in using DGA trying to talk to C&C and
still sometimes we get false positives for computers where chrome gets
launched/closed several times in a row. Hopefully malware will be caught by
other indicators, but it makes us think do we really need Chrome in
enterprise or not.
In the light of recent events the industry is introducing stricter security
controls and deploying more tools that alert on malicious activity in
active breach phase. I believe that this change will make chromium much
more usable in enterprise environment where I don't see it much and
chromium will get more positive votes from security teams.
Anyways, thanks for at least arguing on that.
chro...@googlecode.com
Oct 14, 2015, 11:58:11 PM10/14/15
to chromi...@chromium.org
Comment #17 on issue 181671 by pkas...@chromium.org: Create a policy to
Here's an idea.
Can you packet-inspect the requests? Chrome's redirect detector uses HTTP
HEAD requests rather than HTTP GET. Any malware is either going to be
using HTTP GET, or not HTTP at all. So if you see HTTP HEAD, you'll know
the requests are innocuous.
This avoids the false negative problem with having a query frequency
threshold.
chro...@googlecode.com
Oct 15, 2015, 6:54:07 PM10/15/15
to chromi...@chromium.org
Comment #22 on issue 181671 by David.Sc...@gmail.com: Create a policy to
disable DNS-hijack checks in enterprise
https://code.google.com/p/chromium/issues/detail?id=181671
I can't speak for everyone else, but my problem is that Chrome is using a
clever algorithm to detect information about my corporate network that I
would rather provide directly. This is the reason I'm interested in this
thread and would like to see the policy added. However, I'm not in the
situation that this is a go/no go issue as in #12 or causing issues with
our SIEM device as in others.
Reply all
Reply to author
Forward
0 new messages