Google Chrome's private prefetch proxy is a feature designed to enhance privacy while still providing the benefits of prefetching. Prefetching is a technique where the browser preloads web pages or resources that it predicts the user will visit next. This can speed up browsing but traditionally comes with privacy trade-offs because the prefetching can reveal the user's browsing behavior to third parties.
For users who haven't disabled page preloads, Chrome will asynchronously issue a DNS lookup for dns-tunnel-check.googlezip.net when Chrome starts or when a network interface change occurs.
If the response is NXDOMAIN or SERVFAIL, or if a NOERROR response code is returned but contains neither A nor AAAA records, Chrome will understand that the network administrators need visibility into navigations to prefetched pages (see Preflight mode).
If the response is any other value, Chrome will directly use the prefetched resources and will not issue any additional DNS lookups when the user navigates to the prefetched page.
Implement an option parallel to iCloud Private Relay and Firefox Canary to force Chrome into preflight mode.
Force preflight mode rule: ||dns-tunnel-check.googlezip.net^$dnsrewrite=NXDOMAIN
In this mode, before navigating to a page prefetched via the private prefetch proxy, Chrome will issue a DNS lookup for the relevant domain, and wait until the response comes back.
Chinaski1
commented
4 months ago
Issue Details
Google Chrome's private prefetch proxy is a feature designed to enhance privacy while still providing the benefits of prefetching. Prefetching is a technique where the browser preloads web pages or resources that it predicts the user will visit next. This can speed up browsing but traditionally comes with privacy trade-offs because the prefetching can reveal the user's browsing behavior to third parties.
For users who haven't disabled page preloads, Chrome will asynchronously issue a DNS lookup for
dns-tunnel-check.googlezip.netwhen Chrome starts or when a network interface change occurs.NXDOMAINorSERVFAIL, or if aNOERRORresponse code is returned but contains neitherAnorAAAArecords, Chrome will understand that the network administrators need visibility into navigations to prefetched pages (see Preflight mode).See also: https://developer.chrome.com/docs/privacy-security/private-prefetch-proxy-for-network-admins
Proposed solution
Implement an option parallel to
iCloud Private RelayandFirefox Canaryto force Chrome into preflight mode.Force preflight mode rule:
||dns-tunnel-check.googlezip.net^$dnsrewrite=NXDOMAINIn this mode, before navigating to a page prefetched via the private prefetch proxy, Chrome will issue a DNS lookup for the relevant domain, and wait until the response comes back.
Alternative solution
No response