1.14 Ensure 'DNS interception checks enabled' is set to 'Enabled'

Information

This setting determines whether a local switch is configured for DNS interception checks. These checks attempt to discover if the browser is behind a proxy that redirects unknown host names.

The recommended state for this setting is: Enabled (1)

NOTE: This detection might not be necessary in an enterprise environment where the network configuration is known. It can be disabled to avoid additional DNS and HTTP traffic on startup and each DNS configuration change.

Rationale:

Disabling these checks could potentially allow DNS hijacking and poisoning.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\DNS interception checks enabled

Default Value:

Unset (Same as Enabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|RA-5(2), 800-53|SI-2, CSCv7|4.9

Plugin: Windows

Control ID: 64da1c0cd9be65b097306a3e1c5cd03b939a93fc9ab1eb75a7b3554303b6a273