After a couple hours of boredom waiting for a conference to start, I decided to fire up Wireshark and see what I could see across the wireless.  I was greeted with the first few packets appearing to be my machine reaching out to random domains on the internet (see below). Something was attempting to lookup random hostnames on every domain in my search list.  This freaked me out more than just a little.  Was my machine infected with malware randomly trying to call home?

Thankfully, since I don’t consider Google Chrome as malware.  According to Bojan over at the SANS Internet Storm Center, Chrome attempts three random DNS queries to determine if the ISP is redirecting failed DNS lookups.  Chrome attempts to pre-cache pages in advance thus does a lot of DNS lookups while you are still typing in the address bar.  If ISP’s like Time Warner (now Spectrum) employ catch-all DNS zones to redirect failed lookups, then Chrome cannot utilize its pre-caching features.  Hence these checks which run in the background – apparently even when Chrome is just sitting in memory but no window is open.

Just another reminder to stop all external processes when you are packet spelunking.