Low Security Header

X-DNS-Prefetch-Control

Learn how to control DNS prefetching behavior for privacy and performance.

SiteSecurityScore Team·6 min read·Updated Feb 20, 2026

X-DNS-Prefetch-Control is a HTTP response header that controls whether browsers perform DNS prefetching for links on your pages. DNS prefetching can improve page load performance by resolving domain names before a user clicks a link, but it can also raise privacy concerns by revealing browsing patterns to DNS servers. This header gives you explicit control over this browser optimization.

What is DNS Prefetching?#

DNS prefetching is a browser performance optimization where the browser proactively resolves domain names for links that appear on a page before the user actually clicks them. When a browser encounters links to external domains, it can start DNS resolution in the background so that if the user does click the link, the connection is faster because the DNS lookup is already complete.

  • Browsers scan the page for links and extract domain names from href attributes
  • DNS resolution happens asynchronously in the background without blocking page rendering
  • The resolved IP addresses are cached for immediate use when the user navigates
  • Most modern browsers enable DNS prefetching by default on HTTP pages
Performance Impact

DNS lookups typically take 20 to 120 milliseconds. On a page with many external links, prefetching can save hundreds of milliseconds of perceived load time when users navigate to those links.

Privacy and Security Implications#

While DNS prefetching improves performance, it creates privacy and security considerations that may be important for your application. Every prefetched DNS query reveals information about the page content to DNS resolvers, and in some cases can be exploited by attackers.

  • DNS queries reveal which external domains are linked on your page to DNS servers
  • ISPs and network administrators can monitor prefetched DNS queries to track user behavior
  • Malicious pages could use DNS prefetching to signal to external servers without user action
  • Prefetching can leak information on authenticated or private pages that reference external resources
  • Corporate environments may flag unexpected DNS queries as potential data exfiltration
Privacy Sensitive Applications

For applications handling medical records, financial data, legal documents, or other sensitive content, DNS prefetching should be disabled. The leaked DNS queries could reveal what types of content a user is viewing, even if the actual data remains encrypted.

How X-DNS-Prefetch-Control Works#

The X-DNS-Prefetch-Control header accepts two values: 'on' to explicitly enable DNS prefetching, and 'off' to disable it. The browser's default behavior varies: most browsers enable prefetching on HTTP pages and disable it on HTTPS pages, though this behavior is not guaranteed across all browsers and versions.

  • Setting the header to 'off' prevents all speculative DNS resolution for page links
  • Setting the header to 'on' explicitly enables prefetching regardless of protocol
  • Without the header, browser defaults apply (usually on for HTTP, off for HTTPS)
  • The header affects the entire page, not individual links

Implementation Guide#

Choose 'off' for privacy-sensitive applications, or 'on' for performance-critical public pages. Here is how to configure the header in common web servers.

HTML Level Control

You can also use link tags to enable prefetching for specific domains while keeping the header set to off. Use <link rel="dns-prefetch" href="//trusted-cdn.com"> for selective prefetching of critical domains.

Configuration
# Apache - disable DNS prefetching Header always set X-DNS-Prefetch-Control "off" # Nginx - disable DNS prefetching add_header X-DNS-Prefetch-Control "off" always; # Node.js / Express app.use((req, res, next) => { res.setHeader('X-DNS-Prefetch-Control', 'off'); next(); }); # HTML meta tag alternative <meta http-equiv="x-dns-prefetch-control" content="off">
MDN: X-DNS-Prefetch-Control

Best Practices#

The right setting for X-DNS-Prefetch-Control depends on your application's requirements. Consider these guidelines when deciding how to configure it.

  • Set to 'off' for applications handling sensitive or private data
  • Set to 'off' for internal or corporate applications where DNS leak prevention is important
  • Consider 'on' for public, content-heavy sites where performance is the priority
  • Use selective dns-prefetch link tags for critical third-party domains when the header is off
  • Combine with Referrer-Policy for comprehensive privacy control over outbound requests

Implementation Examples#

Disable DNS Prefetching

X-DNS-Prefetch-Control: off

Disables DNS prefetching for privacy

Explanation: This prevents browsers from performing DNS lookups for links, improving privacy.

Enable DNS Prefetching

X-DNS-Prefetch-Control: on

Enables DNS prefetching for performance

Explanation: This allows browsers to perform DNS lookups for links, improving performance.

Key Directives#

off

Disables DNS prefetching for privacy

off

on

Enables DNS prefetching for performance

on

References#

X-DNS-Prefetch-Control(MDN Web Docs)
Was this helpful?
Share

Test Your X-DNS-Prefetch-Control Configuration

Scan your site to check if X-DNS-Prefetch-Control is properly configured.

Scan Your Website