DNS Prefetch Control

Written by Ulises Gascón

Apr 08, 20202 min read

The attack

When you visit a URL, your browser has to look up the domain’s IP address. For example, it has to resolve example.com to 93.184.216.34. This process is called DNS.

Browsers can start these DNS requests before the user even clicks a link or loads a resource from somewhere. This improves performance when the user clicks the link, but has privacy implications for users. It can appear as if a user is visiting things they aren’t visiting.

The header

The X-DNS-Prefetch-Control header tells browsers whether they should do DNS prefetching. Turning it on may not work—not all browsers support it in all situations—but turning it off should disable it on all supported browsers.

To disable DNS prefetching, set the X-DNS-Prefetch-Control header to off. To attempt to enable it, set the value to on.

Most browsers don’t do DNS prefetching so most browsers can ignore this header.

The code

This middleware lets you disable browsers’ DNS prefetching by setting the X-DNS-Prefetch-Control header.

const helmet = require('helmet')

// Sets "X-DNS-Prefetch-Control: off".
app.use(helmet())

// Sets "X-DNS-Prefetch-Control: off".
app.use(helmet.dnsPrefetchControl({ allow: false }))

// Sets "X-DNS-Prefetch-Control: on".
app.use(helmet.dnsPrefetchControl({ allow: true }))

Refs: