# anybody has trouble with chrome bypassing local dns servers?



## wolffnx (Aug 14, 2020)

something new...reinveinteing the wheel..again
this is happen a log time ago but now is the default behaviour in google chrome

In one of my firewalls PF+Bind9+squid transparent mode(only http) I discover that google chrome bypass my local dns
and even dont pass for the 53 udp/tcp port!

one thing I read was about "DNS prefetching" and that chrome read in the pages that the user visit a header
"sugesting" an external dns server to resolve

and guest what are the pages that bypass the internal dns? that ones that the corporate client dont wnat that the user visit
like facebook or youtube

anyone came to a solution with this?


----------



## SirDice (Aug 14, 2020)

DNS over HTTPS - Wikipedia
					






					en.wikipedia.org


----------



## obsigna (Aug 14, 2020)

This is most probably caused by the DoH (DNS over HTTPS) protocol, which was invented by Google and Mozilla, who recklessly pushed this through all standardization instances and implemented and rolled-out it in no time.

Besides deactivating DoH in Firefox (there must be a switch for this in Chrome as well), I added the following rules to the ipfw(8) firewall of the gateway which happens to be a FreeBSD server:


```
...
# Block DNS bypassing via CloudFlare's 1... and Google's 8.8..
/sbin/ipfw -q add 96 deny ip from any to 1.0.0.0/24,1.1.1.0/24,8.8.0.0/16 53,853
/sbin/ipfw -q add 97 deny ip from any to 1.0.0.0/24,1.1.1.0/24,8.8.0.0/16 443
```

My gateway is running local_unbound as a recursive caching resolver and I added to /etc/unbound/unbound.conf the following void zone:

```
# Tell Firefox to not automagically send traffic to Cloudflare and other DoH services
local-zone: "use-application-dns.net" static
```

I am not 100% sure, but I vaguely remember that I read somewhere that Chrome would honour this DNS entry as well.


----------



## Alain De Vos (Aug 14, 2020)

So one have https traffic which has nothing to do with http.


----------



## wolffnx (Aug 14, 2020)

thanks SirDice  , the only option I have without manage the https traffic is to block the DoH servers in
PF
and yes,there is a option in chrome and firefox to disable,but soon or later the user will discover it


----------



## wolffnx (Aug 14, 2020)

Alain De Vos said:


> So one have https traffic which has nothing to do with http.



if you reffer to squid, yes..I am still using it, in the future I want to process https trafic(easy to do in squid)


----------

