what is asynchronous dns?

Discussion in 'other software & services' started by Mortal Raptor, Jan 5, 2015.

  1. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    I saw Mr. Mayhana say he disables asynchronous DNS. I searched on google and I couldn't find out what this is?

    can someone please shed some light?

    also, what are the recommended advanced settings for speed + security?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    http://www.chromium.org/developers/design-documents/dns-prefetching
     
  3. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Thanks a lot! so this seems like it would make browsing faster in theory, why did Mayhana recommend disabling it and sticking to Norton DNS?

    Firefox doesn't have this right? does that explain why there is a split second lag when you connect to a site using Firefox but with Chrome the page starts loading instantly?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    I don't know what are practical consequences of disabling this option. Enabling this option doesn't mean you can't use your preferred DNS, though.
     
  5. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    ok now I'm even more confused. Hope Mayhana chimes in
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Caching has becoming redundant, with browsers, OS and hardware all doing DNS cache work. I personally leave it to the hardware (Router), no need for the round robin, and caching on potentially exploitable OS's and software IMO. Why stack DNS resolution? Hardware->OperatingSystem->Browser? Not necessary.

    Asynchronous DNS in Chrome slows down browsing in some cases, and in other cases causes page instability. I find it best to disable it. Chrome DNS client talks with multiple DNS servers (the local DNS, the router DNS, the router DNS in IPv6).Chrome opens up to 8 processor threads to resolve DNS, acting as a DNS client of sorts, and overriding your native DNS, and while this 'usually' is done fairly quickly, it can result in significant slowdowns, especially on websites with a lot of links and such (or IP changes). I leave DNS up to my router, but I have an inbuilt fear of cache poisoning and spying on DNS caches. Plenty of examples exist about why you shouldn't cache DNS.

    https://www.reddit.com/r/GlobalOffe...ac_now_reads_all_the_domains_you_have_visited

    http://tools.cisco.com/security/center/viewAlert.x?alertId=16178
    Could allow an unauthenticated, remote attacker to cause the storage of false IP addresses for valid domain names within the local DNS cache.

    How Malware can poison the cache;
    http://null-byte.wonderhowto.com/ho...n-redirect-traffic-your-fake-website-0151620/
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Also - and I haven't verified this. Some report Chrome will 'step outside' your defined DNS at times, and roll over to Google's DNS. A few people have seemingly verified this by loopback testing that Chrome supplicates their dns.. Perhaps someone knows more about that aspect than me. But it worries me - I want ConnectSafe to handle DNS at all times for added security. So it's just another reason for me to disable it. For example;

    http://wiki.astrill.com/index.php/A...mmon_Problems_and_Solutions_(Troubleshooting)
    DNS interception is broken for Chromium browser
    We did intensive tests and found the issue is not in our software at all.

    Recent Chrome/Chromium browsers have internal DNS client, so they bypass system DNS resolver. Astrill can control only system DNS resolver. There is an option to disable this new feature and use system resolver.

    To do so, type: chrome://flags

    Then search for Asynchronous DNS, set it to Disabled. Restart browser. This should fix your issue.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    There're too much you can do, see chrome://flags and seach for what each entry mean, and also search for command line switches here:
    http://peter.sh/experiments/chromium-command-line-switches/
    But they change quickly so keeping up-to-date is really hard. Also you can restrict Chrome by policy. My basic ides is disalbe unneeded function or potentially exploitable function, disable privacy invasive functions, and enable security features. But those config can cause slowdown and can break some sites and I myself don't apply some security related switches as it caused problem, so it depends on your preferences.
    Just as an example, here's my switches and flags (you can see your own via chrome://version)

    --block-cross-site-documents --cipher-suite-blacklist=0x0001,0x0004,0x0017,0x0018,0xff80,0xff81,0xff82 --disable-application-cache --disable-breakpad --disable-ipv6 --disable-people-search --disable-preconnect --disable-prerender-local-predictor --disable-remote-fonts --disable-speech-input --disable-sync --disabled --disk-cache-size=1 --dns-prefetch-disable --enable-strict-site-isolation --incognito --media-cache-size=1 --proxy-pac-url="C:\brabrabra...\proxy.pac" --ssl-version-min=tls1 --flag-switches-begin --disable-device-discovery-notifications --no-pings --disable-ntp-other-sessions-menu --disable-touch-adjustment --disable-views-rect-based-targeting --disable-webgl --disable-account-consistency --disable-async-dns --disable-password-generation --disable-pinch-virtual-viewport --disable-pinch --disable-quic --disable-sync-app-list --disable-sync-synced-notifications --disable-touch-drag-drop --disable-touch-editing --overscroll-history-navigation=0 --disable-text-input-focus-manager --touch-events=disabled --flag-switches-end

    Just as a note, prerendering, and in another case sync, is needed in past Chrome sandbox bypass PoC.
    And this was my reg file for group policy, but I gave up it because I found it only take effect on environment where policy editor is available. On home version of Windows, you can't enforce those Chrome policy unless you hack that mechanism (there's tool fot it, but not recommended).

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
    "AllowOutdatedPlugins"=dword:00000000
    "AlwaysAuthorizePlugins"=dword:00000000
    "DisablePluginFinder"=dword:00000001
    "RemoteAccessHostFirewallTraversal"=dword:00000000
    "DefaultGeolocationSetting"=dword:00000002
    "DefaultPopupsSetting"=dword:00000002
    "PasswordManagerAllowShowPasswords"=dword:00000000
    "PasswordManagerEnabled"=dword:00000000
    "AuthSchemes"="negotiate"
    "BackgroundModeEnabled"=dword:00000000
    "SavingBrowserHistoryDisabled"=dword:00000001
    "DisableSpdy"=dword:00000001
    "SyncDisabled"=dword:00000001
    "AutoFillEnabled"=dword:00000000
    "CloudPrintProxyEnabled"=dword:00000000
    "InstantEnabled"=dword:00000000
    "DnsPrefetchingEnabled"=dword:00000000
    "MetricsReportingEnabled"=dword:00000000
    "SafeBrowsingEnabled"=dword:00000001
    "SearchSuggestEnabled"=dword:00000000
    "CloudPrintSubmitEnabled"=dword:00000000
    "ImportSavedPasswords"=dword:00000000
    "EnableOnlineRevocationChecks"=dword:00000001
    "DefaultMediaStreamSetting"=dword:00000002
    "DisableScreenshots"=dword:00000001
    "BlockThirdPartyCookies"=dword:00000001
    "DefaultCookiesSetting"=dword:00000004
     
  9. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    "Chromium currently employs 8 completely asynchronous worker threads to do nothing but perform DNS prefetch resolution."


    Remember, this actually refers to the current external DNS architecture which still uses the OS. Both DNS versions are asynchronous; however, the about:flags internal DNS is different.

    The purpose of the new internal DNS is to overcome the general inefficiency of interacting with the OS under a fixed and limited number threads ( 8 ) via dynamic, limitless request handling that's "just right." It also aims to make the dns prefetch/cache more robust (receives better dns metadata and therefore can add more value/optimization/security).

    Also, Chrome will DNS cache and use it first regardless of which local DNS or flag/pref you use.

    Is async DNS handling secure? Sure. It is just parallel requests. The alternative is one domain lookup and response at a time; that adds up and creates hangs.

    Is Chrome experimental internal DNS client more secure? No, it's "experimental."
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    On a side note there's a little utility called DNS Jumper that will ping a list of DNS servers and add the fastest servers to the static DNS section of the TCPIP page in the network adapter. It's particularly useful when using VPN since DNS responsiveness can vary a lot depending on server location.
     
  11. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Thanks a lot for the explanations and links bro!! I always eagerly await your posts as they're so informative!

    I'll give Chrome another go now and do this.

    Thanks
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It just means that your DNS resolution isn't going to block the browser from doing other things. That's why it's "asynchronous".
     
  13. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Trying Google Chrome now and I'm trying to adapt to it. Isn't as bad as when I tried it a few months back now... and thanks to you guys I figured out how to make my torrent downloads launch my torrent client automatically
     
  14. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    Does this apply to linux.I am on Ubuntu.Should I disable asynchronous dns in Chrome too?
     
Loading...