Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 7 subscribers
  • Views 11084 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block Chrome own DNS resolution

Jaime Blanco

Hi,

I have been researching latest Chrome development and it now has different mechanisms of resolving DNS queries, including DNS over HTTPS direct to Google servers and bypassing local DNS settings.

Is there a way to block it?

 

Some references:

www.reddit.com/.../

https://www.xda-developers.com/fix-dns-ad-blocker-chrome/

discourse.pi-hole.net/.../9500

 

Any thoughts on this?

Thanks.

Jaime



This thread was automatically locked due to age.
Parents
  • 0

    Where is this feature documented?    My first attempt to find details was not successful.   

    But to the point:  what do you see as the risks or problems created by having this feature enabled.

    Ever since I discovered that Chrome was using UDP 443 to bypass my webfilter, I have been suspicious of their performance improvement features, but I am using their DNS anyway, so I don't know whether I should be upset or not.

  • 0 in reply to DouglasFoster

    Hi,

     
    I found out it because I was developing a very easy way to filter content based on DNS.  Like my OpenDNS.com but with a simple mobile app.
     
    So I set up dnsmasq on Ubuntu.
     
    So, I can have dnsmasq cache (internal) server running on Ubuntu  to resolve, for instance, youtube.com to 127.0.0.1 and son on.  I point my WiFi AP to this dnsmasq machine.
     
    Everything worked when tested it with nslookup from a Linux client PC: nslookup www.youtube.com -> 127.0.0.01.  However I noticed that when I tried to go to youtube.com from a Chrome browser it could go there.
     
    I sniffed the traffic on the Linux client machine and I found that even though it tried to contact the dnsmasq server to resolve and the dnsmasq answered tith 127.0.0.1, the Chrome could got to youtube.com real server.
     
    In the URLs that I passed in my first post it says that Chrome has a built in dns client and use Google web service (I guess DNS over HTTPS) to contact Google 8.8.8.8 servers. 
     
    It could be a potential risk.  It is know that there are some attacks using DNS  tunneling. So far, several techniques has been used to block this kind of attack: i.e. DNS vendors use signatures to detect irregular DNS queries/traffic. Another technique has been to detect amount of DNS traffic (which should low) and apply traffic shapping.
     
    An attacker could tunnel DNS over HTTP and bypass FW filters.
     
    But, I have tried to find FW vendor which are able to identify DNS over HTTPS. So far I have not found.
     
    Hope this explains my thoughts on this topic.
    Jaime
Reply
  • 0 in reply to DouglasFoster

    Hi,

     
    I found out it because I was developing a very easy way to filter content based on DNS.  Like my OpenDNS.com but with a simple mobile app.
     
    So I set up dnsmasq on Ubuntu.
     
    So, I can have dnsmasq cache (internal) server running on Ubuntu  to resolve, for instance, youtube.com to 127.0.0.1 and son on.  I point my WiFi AP to this dnsmasq machine.
     
    Everything worked when tested it with nslookup from a Linux client PC: nslookup www.youtube.com -> 127.0.0.01.  However I noticed that when I tried to go to youtube.com from a Chrome browser it could go there.
     
    I sniffed the traffic on the Linux client machine and I found that even though it tried to contact the dnsmasq server to resolve and the dnsmasq answered tith 127.0.0.1, the Chrome could got to youtube.com real server.
     
    In the URLs that I passed in my first post it says that Chrome has a built in dns client and use Google web service (I guess DNS over HTTPS) to contact Google 8.8.8.8 servers. 
     
    It could be a potential risk.  It is know that there are some attacks using DNS  tunneling. So far, several techniques has been used to block this kind of attack: i.e. DNS vendors use signatures to detect irregular DNS queries/traffic. Another technique has been to detect amount of DNS traffic (which should low) and apply traffic shapping.
     
    An attacker could tunnel DNS over HTTP and bypass FW filters.
     
    But, I have tried to find FW vendor which are able to identify DNS over HTTPS. So far I have not found.
     
    Hope this explains my thoughts on this topic.
    Jaime
Children
No Data
Unfiltered HTML