A few days ago I was troubleshooting an issue with my laptop when I noticed a large number of errors in the system log that looked like this:
Name resolution for the name nrumtznshm.mydomain.org timed out after none of the configured DNS servers responded.
This was a warning in the Windows System Event Log with a Source of DNS Client Events and an Event ID of 1014.
I was seeing a lot of failed DNS requests in the log because the evening before my home network had gone down and been offline overnight. I wasn’t surprised to see DNS resolution failures (since the network was offline). But what in the world is my laptop doing making DNS requests for a machine named nrumtznshm on my domain? I know there is no machine with this name.
To make things even scarier I saw dozens of these DNS lookup failures in the log for the night before. Each failure was against a different and random ten character machine name. This looked a little suspicious to me. My first thought was a virus or malware application was searching my network!
Immediately I ran a full scan of my system with a virus scanner. Fortunately it came back completely clean. The virus definition file was up to date and it hadn’t found any viruses or malware. Not even any questionable cookies. Ok, so that was a good sign.
Next I searched the internet for this issue with search terms about random machine name, DNS name resolution failed, malware, virus, etc, but with no luck. I couldn’t find anyone else who had encountered this exact issue. Dr. Google had failed me!
I set about trying to figure out which application on my network was initiating these mysterious requests. Although the DNS Client log events had a process ID listed, I had difficulty tying this back because the process was no longer running and being displayed in Process Explorer. In order to figure out what was causing this issue I decided to open Fiddler Web Debugger (a fantastic tool by Eric Lawrence that I rely on constantly to help me troubleshoot issues with web servers and web applications) and let it run in the background while I worked. I was interested to see if the random DNS requests would show up.
Sure enough, after a couple of minutes, the mysterious requests appeared in Fiddler:
Aha! This was a great clue. The requests were being issued by Google Chrome. Could this be a bad extension? Some malware I inadvertently installed into Chrome?
A little more searching on Google led me to this chromium bug report: 47262
It turns out Google issues these queries for nonexistent sites on purpose. This is done to prevent ISPs from hijacking search requests that users type into the URL bar of Chrome. More information on this may be found in the 47262 issue above. They have closed this issue and are not planning to modify these requests in any way as it is working as designed. I don’t think this is really a problem, but it was a little scary to see traces of these requests and not understand their purpose.
Hopefully this article will help save some time for others who notice these requests in their log. It’s not malware or a virus, but just Chrome making it easier for you to search and keeping ISPs from showing you advertisements on your Google searches.