DNS Prefetch Control
Written by Ulises Gascón
Apr 08, 2020 — 2 min readThe attack
When you visit a URL, your browser has to look up the domain’s IP address. For example, it has to resolve example.com to 93.184.216.34. This process is called DNS.
Browsers can start these DNS requests before the user even clicks a link or loads a resource from somewhere. This improves performance when the user clicks the link, but has privacy implications for users. It can appear as if a user is visiting things they aren’t visiting.
The header
The X-DNS-Prefetch-Control header tells browsers whether they should do DNS prefetching. Turning it on may not work—not all browsers support it in all situations—but turning it off should disable it on all supported browsers.
To disable DNS prefetching, set the X-DNS-Prefetch-Control header to off. To attempt to enable it, set the value to on.
Most browsers don’t do DNS prefetching so most browsers can ignore this header.
The code
This middleware lets you disable browsers’ DNS prefetching by setting the X-DNS-Prefetch-Control header.
const helmet = require('helmet')
// Sets "X-DNS-Prefetch-Control: off".
app.use(helmet())
// Sets "X-DNS-Prefetch-Control: off".
app.use(helmet.dnsPrefetchControl({ allow: false }))
// Sets "X-DNS-Prefetch-Control: on".
app.use(helmet.dnsPrefetchControl({ allow: true }))
Refs:
- Helmet | DNS Prefetch Control
- MDN | X-DNS-Prefetch-Control
- Chromium | DNS Prefetching
- KeyCDN | What Is Prefetching and Why Use It