Option for blocking private prefetch proxy in Chrome - force preflight mode

[hagezi]

Issue Details

Google Chrome's private prefetch proxy is a feature designed to enhance privacy while still providing the benefits of prefetching. Prefetching is a technique where the browser preloads web pages or resources that it predicts the user will visit next. This can speed up browsing but traditionally comes with privacy trade-offs because the prefetching can reveal the user's browsing behavior to third parties.

For users who haven't disabled page preloads, Chrome will asynchronously issue a DNS lookup for dns-tunnel-check.googlezip.net when Chrome starts or when a network interface change occurs.

• If the response is NXDOMAIN or SERVFAIL, or if a NOERROR response code is returned but contains neither A nor AAAA records, Chrome will understand that the network administrators need visibility into navigations to prefetched pages (see Preflight mode).
• If the response is any other value, Chrome will directly use the prefetched resources and will not issue any additional DNS lookups when the user navigates to the prefetched page.

See also: https://developer.chrome.com/docs/privacy-security/private-prefetch-proxy-for-network-admins

Proposed solution

Implement an option parallel to iCloud Private Relay and Firefox Canary to force Chrome into preflight mode.

Force preflight mode rule: ||dns-tunnel-check.googlezip.net^$dnsrewrite=NXDOMAIN

In this mode, before navigating to a page prefetched via the private prefetch proxy, Chrome will issue a DNS lookup for the relevant domain, and wait until the response comes back.

Alternative solution

No response

[Chinaski1]

Internal ID: AGDNS-2326