Weird DNS queries from svchost.exe (google.com.onion, wildcard + malformed domains) – anyone seen this on Windows?
A Windows 11 host running svchost.exe generated unusual DNS queries including google.com.onion, wildcard, and malformed domains within a very short time frame. These queries returned NXDOMAIN responses and did not lead to any follow-up connections or IP resolutions. The behavior resembles synthetic or malformed DNS queries rather than user-initiated activity and is similar to DNS probing or spoof detection patterns observed on other devices. The source of these queries under svchost.exe is unclear, and it is uncertain whether this is normal Windows DNS client behavior, network validation, or triggered by security tools. No confirmed malicious activity or exploit is reported.
AI Analysis
Technical Summary
This report describes anomalous DNS queries originating from svchost.exe on a Windows 11 endpoint. The queries include google.com.onion, wildcard domains, and excessively long malformed domain names, all generated within the same second. The queries returned NXDOMAIN responses and did not result in network connections, suggesting no active exploitation. The pattern is reminiscent of DNS spoof detection or probing mechanisms seen on other platforms but is observed here on Windows. The exact cause is undetermined, with hypotheses including Windows DNS client cache behavior, network validation processes, or interactions with endpoint detection and response tools. No known exploits or vulnerabilities are associated with this behavior.
Potential Impact
No direct impact or exploitation has been observed. The DNS queries returned negative responses and did not lead to network connections or further activity. The behavior appears benign and may be related to internal system or security tool operations rather than malicious activity.
Mitigation Recommendations
No official patch or remediation is indicated or required. The behavior appears benign and may be part of normal system or security tool operations. Security teams should verify the source of the queries using detailed logging and monitoring before suppressing alerts. If alerts are triggered by .onion domain queries, consider tuning detection rules after confirming no malicious activity. No urgent action is necessary based on current information.
Weird DNS queries from svchost.exe (google.com.onion, wildcard + malformed domains) – anyone seen this on Windows?
Description
A Windows 11 host running svchost.exe generated unusual DNS queries including google.com.onion, wildcard, and malformed domains within a very short time frame. These queries returned NXDOMAIN responses and did not lead to any follow-up connections or IP resolutions. The behavior resembles synthetic or malformed DNS queries rather than user-initiated activity and is similar to DNS probing or spoof detection patterns observed on other devices. The source of these queries under svchost.exe is unclear, and it is uncertain whether this is normal Windows DNS client behavior, network validation, or triggered by security tools. No confirmed malicious activity or exploit is reported.
Reddit Discussion
I’m investigating a DNS-related alert and wanted to check if anyone has seen similar behavior in a Windows environment.
We observed the following DNS queries from a Windows 11 host:
google.com.onion*google.comwww.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.comgoogle.com
All of these were generated within the same second by:
svchost.exe- Running as
NT AUTHORITY\SYSTEM - Sysmon Event ID 22 (DNS query)
Some key observations:
- The
.onionquery returned NXDOMAIN (DNS_ERROR_RCODE_NAME_ERROR) - No follow-up connections or IP resolution were observed
- The behavior looks like a burst of synthetic / malformed queries rather than user activity
This pattern looks very similar to what people have reported on Samsung devices (MobileWIPS DNS probing / spoof detection), but this is a Windows endpoint.
Question:
- Has anyone seen similar DNS query patterns from
svchost.exeon Windows endpoints? - Could this be:
- DNS Client (Dnscache) behavior?
- Some Windows network validation / spoof detection logic?
- Or triggered indirectly by EDR/XDR tools interacting with DNS?
- Any reliable way to map this definitively to a specific service under
svchostusing logs alone?
At the moment, it looks benign (NXDOMAIN + no connections), but the .onion query is triggering alerts, so trying to confirm before suppressing.
Appreciate any insights.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This report describes anomalous DNS queries originating from svchost.exe on a Windows 11 endpoint. The queries include google.com.onion, wildcard domains, and excessively long malformed domain names, all generated within the same second. The queries returned NXDOMAIN responses and did not result in network connections, suggesting no active exploitation. The pattern is reminiscent of DNS spoof detection or probing mechanisms seen on other platforms but is observed here on Windows. The exact cause is undetermined, with hypotheses including Windows DNS client cache behavior, network validation processes, or interactions with endpoint detection and response tools. No known exploits or vulnerabilities are associated with this behavior.
Potential Impact
No direct impact or exploitation has been observed. The DNS queries returned negative responses and did not lead to network connections or further activity. The behavior appears benign and may be related to internal system or security tool operations rather than malicious activity.
Mitigation Recommendations
No official patch or remediation is indicated or required. The behavior appears benign and may be part of normal system or security tool operations. Security teams should verify the source of the queries using detailed logging and monitoring before suppressing alerts. If alerts are triggered by .onion domain queries, consider tuning detection rules after confirming no malicious activity. No urgent action is necessary based on current information.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a33f083f198dc38c1dc4958
Added to database: 6/18/2026, 1:20:03 PM
Last enriched: 6/18/2026, 1:20:11 PM
Last updated: 6/18/2026, 11:34:10 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.