1

I would like a comprehensive explanation of the security and privacy risks that come with DNS prefetching. There are already other posts about this topic, but I want current information and feedback on my concerns. Thanks in advance.

The Helmet.js documentation says X-DNS-Prefetch-Control is turned off to improve user privacy, but doesn't explain why DNS prefetching is a privacy concern. Is turning DNS prefetching off generally a good default?

helmet.dnsPrefetchControl sets the X-DNS-Prefetch-Control header to help control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.

I've read that DNS prefetching is done in plaintext, which can reveal information if there's a MITM attack, but is that information current? If so, why are the requests plaintext?

This article shows how you can bypass the CSP with DNS prefetching. Have things changed since the article was written in 2016?

I feel that this OWASP Cheatsheet excerpt should be included so you know what I know.

The default behavior of browsers is to perform DNS caching which is good for most websites. If you do not control links on your website, you might want to set off as a value to disable DNS prefetch to avoid leaking information to those domains.

Liz
  • 351
  • 3
  • 9

1 Answers1

1

(Context: I worked on a DNS prefetching feature circa Firefox 1.0, but have not directly worked on the security aspects of networking for some time).

As the first answer, here's the basic problem:

1- Perfetching of DNS does not extensively improve performance in the real world.

There's a lot of caching and optimization in DNS (enough where most people probably don't know the state of the art... this probably includes me).

So the benefit is usually small. Making this a preference/feature seems okay, but I'd argue it should be off by default.

2- When you DNS prefetch, this means, you might let other people dictate where your DNS queries go. Imagine an ad that points to "www.evil.com"

With prefetching on, viewing the page with the add will send a DNS query, even if though you have not viewed the content. The DNS admin can setup "evil.com" in a way that maximizes their logging, which might allow them to see what networks you use.

Also, they can customize the hostnames, think about: (your tracking number).evil.com

What is worse, there will be a strong correlation pre-fetched DNS queries that aren't DNS cached, and the unique hostname (FQDN's) that the attacker is distributing to you.

benc
  • 1,381
  • 5
  • 31
  • 39
  • Thank you very much for your answer! Do you think you could point me to a resource on DNS prefetching performance in the real world? I struggled to find anything. I also didn't quite understand your last couple sentences. Could you please explain what you mean by "What is worse, there will be a strong correlation pre-fetched DNS queries that aren't DNS cached, and the unique hostname (FQDN's) that the attacker is distributing to you." – Liz Mar 01 '23 at 07:01
  • 1
    @Liz: Let's say you pull up a page with 10 ads. A couple are from ads.com (like ad1.ads.com, ad2.ads.com, etc...) If it is a popular ad network (in many other sites), then pre-fetching DNS won't improve your clikcthru load time... Let's say the other 8 ads were sold to an attacker, they would be full of FQDNs you'd never heard of ("sucker.net", "prefetch-is-good.com", etc). If DNS pre-fetching is off, then nothing would happen unless you clicked on the ad.. If DNS pre-fetching is on, then the page triggers a variety of DNS lookups to those domains, which could be captured. – benc Mar 01 '23 at 12:52