[AndyMcConachie]

Not exactly. Chrome doesn't know if you're trying to enter a domain name, hence URL, or are trying to enter a search term. The Omnibar supports both. So Chrome tries to resolve the string you entered and if it gets back an NXDOMAIN it can assume that it's a search term.

The problem is that some ISPs have configured their DNS resolvers to lie and not return NXDOMAIN. Instead redirecting you to some website for marketing purposes. The Chromium workaround is to try and detect if it is using a lying DNS resolver by issuing queries that it knows SHOULD return an NXDOMAIN.

If this concerns you run your own resolver, enable DNSSEC validation, and enable aggressive NSEC caching(RFC 8198).

[bo1024]

This post contains a bunch of information about the question, but it doesn't seem to actually address the question.

The question is: does Chromium send the first word I type to my ISP?

The answer appears to be: yes.

[throwaway18231]

I justed tested this myself via logging the DNS queries, and yes, this is true.

[rfoo]

> the first word

No.

The answer appears to be yes if you said "the only word", though.

[JeremyBanks]

...which the first word would be, as you typed it?

[bagacrap]

I think this only happens after you press enter, not as part of the omnibox real time results. After all the infobar mentioned in the article definitely only appears after you commit the search query.

[notatoad]

depends how fast you type - there's a delay on the query so it's not re-querying for every keystroke. but probably yes.

[gnu8]

So because Google thinks I am too stupid to handle a separate URL box and search box, and they are so much smarter than me that they can write a simple if-else to discern what I want with a few bullshit DNS queries, I’m stuck with a browser that leaks information and fails to do what I want several times a day until I learn to work around this behavior. And the proposed solution is for me, dumb dumb user that I am, to run my own resolver with DNSSEC validation and NSEC caching?

I am getting close to moving to a hut in the woods and forgetting all about the internet.

[jlg23]

I moved to the desert in a developing country. But fibre optics to the house took 4 days and is $55/month. There is no escape.

[tptacek]

DNSSEC can only distinguish valid from invalid NXDOMAINs on signed zones. A tiny, tiny minority of zones in .COM, .NET, .ORG, and .IO are signed. Installing your own local DNSSEC resolver to "fix" the Chrome URL bar would be a tremendous misallocation of effort.

If your ISP forges NXDOMAIN responses, the correct response is to DOH to a provider that doesn't do that. That's a simple networking config change, for which there is UI in every mainstream operating system. The DNSSEC part of this conversation is just silly.

[AndyMcConachie]

Do whatever you want as your proposed mitigation, but we are talking about the root zone here, which is signed.

[tptacek]

My proposed mitigation is being deployed in every modern browser, and completely eliminates the ISP-spoofed NXDOMAIN problem. Yours asks users to install their own DNS server, and still doesn't eliminate the problem. I'm comfortable saying that my advice is correct, and the advice to use DNSSEC to solve this problem is malpractice.

[mzs]

That infuriates me. It totally can know. Did it start with http:// https:// ftp:// ...? I really dislike how browsers decided everything is a search.

[shock]

> I really dislike how browsers decided everything is a search.

Not browsers, just chrome. The rest followed.