I would like a comprehensive explanation of the security and privacy risks that come with DNS prefetching. There are already other posts about this topic, but I want current information and feedback on my concerns. Thanks in advance.
The Helmet.js documentation says X-DNS-Prefetch-Control is turned off to improve user privacy, but doesn't explain why DNS prefetching is a privacy concern. Is turning DNS prefetching off generally a good default?
helmet.dnsPrefetchControlsets theX-DNS-Prefetch-Controlheader to help control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.
I've read that DNS prefetching is done in plaintext, which can reveal information if there's a MITM attack, but is that information current? If so, why are the requests plaintext?
This article shows how you can bypass the CSP with DNS prefetching. Have things changed since the article was written in 2016?
I feel that this OWASP Cheatsheet excerpt should be included so you know what I know.
The default behavior of browsers is to perform DNS caching which is good for most websites. If you do not control links on your website, you might want to set off as a value to disable DNS prefetch to avoid leaking information to those domains.
(Context: I worked on a DNS prefetching feature circa Firefox 1.0, but have not directly worked on the security aspects of networking for some time).
As the first answer, here's the basic problem:
1- Perfetching of DNS does not extensively improve performance in the real world.
There's a lot of caching and optimization in DNS (enough where most people probably don't know the state of the art... this probably includes me).
So the benefit is usually small. Making this a preference/feature seems okay, but I'd argue it should be off by default.
2- When you DNS prefetch, this means, you might let other people dictate where your DNS queries go. Imagine an ad that points to "www.evil.com"
With prefetching on, viewing the page with the add will send a DNS query, even if though you have not viewed the content. The DNS admin can setup "evil.com" in a way that maximizes their logging, which might allow them to see what networks you use.
Also, they can customize the hostnames, think about: (your tracking number).evil.com
What is worse, there will be a strong correlation pre-fetched DNS queries that aren't DNS cached, and the unique hostname (FQDN's) that the attacker is distributing to you.