I don't really do much with my DNS settings in Edge, but I did notice something strange today. If you look in the settings menu under Privacy, search and services > Security, you will see the option for "Use secure DNS to specify how to lookup the network address for websites." I have this set to "Use current service provider." I can access this fine outside the sandbox. But when I pull this up while inside the sandbox, it's grayed out with this message "This setting is turned off for managed browsers." This only happens when running Sandboxie. What is the cause for this behavior, and am I losing some kind of base-line security function by not having it be accessible (or blocking it in the sandbox somehow)?
Sandboxie is adding to the sandboxed registry to disable the "Startup Boost" feature of the MSEdge browser. Because of this, MSEdge thinks this browser is managed and prevents some features from being changed by the user. Workaround: Save following code as "MSEdgeSecureDNS.reg" and move it to safe location. (ex. D:\MyPath\) Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge] "DnsOverHttpsMode"="secure" "DnsOverHttpsTemplates"="https://cloudflare-dns.com/dns-query{?dns}" Spoiler: DnsOverHttpsMode Policy options mapping: * off (off) = Disable DNS-over-HTTPS * automatic (automatic) = Enable DNS-over-HTTPS with insecure fallback * secure (secure) = Enable DNS-over-HTTPS without insecure fallback https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DnsOverHttpsMode Spoiler: DnsOverHttpsTemplates Code: Example value: https://dns.example.net/dns-query{?dns} https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DnsOverHttpsTemplates Add following line to your sandbox config: (Reg file will be added to the sandboxed registry at the initial run of the sandbox) Code: AutoExec=regedit /s "D:\MyPath\MSEdgeSecureDNS.reg" Spoiler: AutoExec https://sandboxie-plus.com/sandboxie/autoexec/ (OPTIONAL) Run the REG file as sandboxed.
I tried the steps above, but I am still seeing the DNS server settings grayed out. Here is what I did, step-by-step: 1) I opened notepad and copied everything in the code box above (including the "Windows Registry Editor Version 5.00" all the way down to "/dns-query{?dns}"). I then used "save as" and named it MSEdgeSecureDNS.reg (to ensure it created a registry file I could merge). 2) I created a folder in Program Files > Sandboxie Plus called "mods" and placed the newly created reg file from step 1 here. Then copied this location to make the following string: AutoExec=regedit /s "C:\Program Files\Sandboxie-Plus\mods\MSEdgeSecureDNS.reg" 3) I copied and pasted the last string above from step 3, and copied/pasted it into the "edit ini" sections of the global program settings and in the sandbox specific settings (adding this after the bottom line). 4) I ran the reg file and merged with the registry manually (just in case) ...but even now when I run Edge sandboxed and check the settings, DNS is still grayed out.
It will stay "grayed out" unless we delete the "Policies" key. To delete the key: Code: Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
Thanks. I hate to be a pain in the #$%, but this still isn't' working. So I copy/pasted everything in your code box into notepad, saved as "policies" reg file on the desktop, and ran/merged it. Still grayed out. Then I tried to delete the key manually, but when I navigated to \Microsoft\Edge in the registry, it has been deleted (by running the reg file I assume). But still not unlocking the DNS settings.
Did you check the sandbox registry or the host registry? (Run 'regedit' as sandboxed) EDIT: Make sure to remove the line containing the previous REG file. (MSEdgeSecureDNS.reg) Video: Code: https://streamable.com/fjfi6h
Hey, that worked! Thanks a lot for the video. I would have never figured that out on my own, but those steps were amazing. Just one bit of house keeping left. I now have two registry files I'm storing in the root of the Sandboxie folder for safe keeping. One is named "MSEdgeSecureDNS.reg" with the contents of post #2, and the second I named "DeletePolicies.reg" with the contents of post #4. I assume the second one is something I have to keep from now on, as it's set as a "trigger" in the run command of the sanbox options (which loads every time Edge does now). Is "MSEdgeSecureDNS.reg" the one that's safe to delete now and "DeletePolicies.reg" the one that stays on my HDD indefinitely?
Perfect thanks! One final FINAL question. If I were to start this process again (from a fresh copy of Windows), would I be able to use the steps JUST in the video? Or would I have to run the first sequence all the time as well?
As long as you have the REG file, it is sufficient to set AutoExec for the sandbox. Spoiler: or Globally Sandboxie Plus > Options > Global Settings > Edit ini Section > Edit ini > Scroll to the bottom > add your AutoExec line > Save > OK If you fresh install (or reset) Windows or completely uninstall Sandboxie Plus (which removes all config files), without backing up the configuration file and the REG file (C:\Windows\Sandboxie.ini and DeletePolicies.reg), you have to set it up again from first sequence.
I run Cloudflare 1.1.1.1 public DNS resolver with my network adapter. Does trying to implement this (over-my-head) workaround buy me anything?
hi @busy may i ask you few questions? 1) does sandboxie or sandboxie plus change only edge settings or other browsers like firefox or chrome too ? 2) and does the sandboxie uninstaller restore the old keys ? thanks
basically - the lock points out that some kind of policy is set, go group policies in windows. if you are on windows pro, get the ADMX from here https://www.microsoft.com/edge/business/download?form=MA13FJ if you are on windows home such settings dont get there from alone, someone or something had deployed it.
@bjm_ Use router-level or system-wide secure DNS. @mantra 1) MS Edge only https://www.wilderssecurity.com/threads/sandboxie-plus-v1-1-3.445696/#post-3090074 2) This setting is only added to the sandbox registry.
@busy hi but you have write to delete some registry entries like Code: Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge] thanks
seriously, SB should keep hands off from GPO settings, virtually or not. undermining system security settings is a NO GO!
To clarify Sandboxie should not change any setting on the host, what is does is it changes sandboxed registry values which corresponds to some gpo settings, meaning these changes apply only within the box itself.
i thought this way, as you consider this setting as required. anyhow, how you set GPO without any messages, and that's not okay. and you could not be aware that all users read the popup with latest changes (me included). as you can read this really happens/happend and user is not happy about.
There are quite a bunch more settings which are set without asking, this practice was already practiced by the old closed source sandboxie, just with a few less settings see custom.cpp Code: DisableDCOM(); DisableRecycleBin(); DisableWinRS(); DisableWerFaultUI(); EnableMsiDebugging(); // new DisableEdgeBoost(); // new Custom_EnableBrowseNewProcess(); DeleteShellAssocKeys(0); Custom_DisableBHOs(); Custom_OpenWith(); // new the 3 marked with //new are mine Without disabling edge startup boost edge does not properly terminating and users do complain about that and about auto box delete/recovery not working. These options are all set when an empty box is started, so no mater whats set some users will complain. You can after start customize your box and then take a snapshot and the new Config will remain even across auto deletes (due to the snapshot) You want each time you start an empty sandbox it to ask which settings to set, that's not user friendly, default presets (GPO or other) should be auto set. But I'll add this special case to the automated troubleshooting wizard to simplify the unsettling of that gpo for users
