Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 7 subscribers
  • Views 11126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block Chrome own DNS resolution

Jaime Blanco

Hi,

I have been researching latest Chrome development and it now has different mechanisms of resolving DNS queries, including DNS over HTTPS direct to Google servers and bypassing local DNS settings.

Is there a way to block it?

 

Some references:

www.reddit.com/.../

https://www.xda-developers.com/fix-dns-ad-blocker-chrome/

discourse.pi-hole.net/.../9500

 

Any thoughts on this?

Thanks.

Jaime



This thread was automatically locked due to age.
  • 0

    Had not heard this.

    Another reason to use HTTPS inspection, which insures that DNS resolution occurs at UTM.

  • 0 in reply to DouglasFoster

    Thanks!

    How HTTPS inspection would avoid DNS over HTTPS?

    Cheers.

    Jaime

  • 0 in reply to Jaime Blanco

    You cant block DNS if it allowed for all. If UTM is primary DNS server, maybe you can define a fake one

  • 0 in reply to Jaime Blanco

    I was actually thinking Standard Mode Web Proxy, because the browser is supposed to ask UTM to fetch the URL, and the URL-to-DNS lookup is done by UTM.  It would probably have to be combined with HTTPS inspection, since without decrypt-and-scan, UTM loses visibility to what is happening inside the tunnel (and Google uses https for everything they do.)

    But I also scanned the latest Chrome Group Policy settings, and there is a flag for

    BuiltInDnsClientEnabled (0=Disabled, 1=Enabled)

    I hope this has an equivalent effect as command line --disable-async-dns, but have not proved it yet.

    I read some posts which said that it was configurable from the flags page in some versions of Chrome, but I do not see a setting like that on the flags page of my current version.  So it appears that Chrome is making it harder and harder to disable this feature.   Must be good money in it for them.

  • 0

    Where is this feature documented?    My first attempt to find details was not successful.   

    But to the point:  what do you see as the risks or problems created by having this feature enabled.

    Ever since I discovered that Chrome was using UDP 443 to bypass my webfilter, I have been suspicious of their performance improvement features, but I am using their DNS anyway, so I don't know whether I should be upset or not.

  • 0 in reply to DouglasFoster

    Hi,

     
    I found out it because I was developing a very easy way to filter content based on DNS.  Like my OpenDNS.com but with a simple mobile app.
     
    So I set up dnsmasq on Ubuntu.
     
    So, I can have dnsmasq cache (internal) server running on Ubuntu  to resolve, for instance, youtube.com to 127.0.0.1 and son on.  I point my WiFi AP to this dnsmasq machine.
     
    Everything worked when tested it with nslookup from a Linux client PC: nslookup www.youtube.com -> 127.0.0.01.  However I noticed that when I tried to go to youtube.com from a Chrome browser it could go there.
     
    I sniffed the traffic on the Linux client machine and I found that even though it tried to contact the dnsmasq server to resolve and the dnsmasq answered tith 127.0.0.1, the Chrome could got to youtube.com real server.
     
    In the URLs that I passed in my first post it says that Chrome has a built in dns client and use Google web service (I guess DNS over HTTPS) to contact Google 8.8.8.8 servers. 
     
    It could be a potential risk.  It is know that there are some attacks using DNS  tunneling. So far, several techniques has been used to block this kind of attack: i.e. DNS vendors use signatures to detect irregular DNS queries/traffic. Another technique has been to detect amount of DNS traffic (which should low) and apply traffic shapping.
     
    An attacker could tunnel DNS over HTTP and bypass FW filters.
     
    But, I have tried to find FW vendor which are able to identify DNS over HTTPS. So far I have not found.
     
    Hope this explains my thoughts on this topic.
    Jaime
Unfiltered HTML