anybody has trouble with chrome bypassing local dns servers?

wolffnx

wolffnx

something new...reinveinteing the wheel..again
this is happen a log time ago but now is the default behaviour in google chrome

In one of my firewalls PF+Bind9+squid transparent mode(only http) I discover that google chrome bypass my local dns
and even dont pass for the 53 udp/tcp port!

one thing I read was about "DNS prefetching" and that chrome read in the pages that the user visit a header
"sugesting" an external dns server to resolve

and guest what are the pages that bypass the internal dns? that ones that the corporate client dont wnat that the user visit
like facebook or youtube

anyone came to a solution with this?
 
This is most probably caused by the DoH (DNS over HTTPS) protocol, which was invented by Google and Mozilla, who recklessly pushed this through all standardization instances and implemented and rolled-out it in no time.

Besides deactivating DoH in Firefox (there must be a switch for this in Chrome as well), I added the following rules to the ipfw(8) firewall of the gateway which happens to be a FreeBSD server:

Code: 
...
# Block DNS bypassing via CloudFlare's 1... and Google's 8.8..
/sbin/ipfw -q add 96 deny ip from any to 1.0.0.0/24,1.1.1.0/24,8.8.0.0/16 53,853
/sbin/ipfw -q add 97 deny ip from any to 1.0.0.0/24,1.1.1.0/24,8.8.0.0/16 443

My gateway is running local_unbound as a recursive caching resolver and I added to /etc/unbound/unbound.conf the following void zone:
Code: 
# Tell Firefox to not automagically send traffic to Cloudflare and other DoH services
local-zone: "use-application-dns.net" static

I am not 100% sure, but I vaguely remember that I read somewhere that Chrome would honour this DNS entry as well.
 
thanks SirDice , the only option I have without manage the https traffic is to block the DoH servers in
PF
and yes,there is a option in chrome and firefox to disable,but soon or later the user will discover it
 
You must log in or register to reply here.
Back
Top