Home/ Glossary/ X-DNS-Prefetch-Control

X-DNS-Prefetch-Control (X-DNS-Prefetch-Control)

Security Glossary - Security Headers

Definition: X-DNS-Prefetch-Control controls whether the browser performs DNS prefetching - proactively resolving domain names for links on the page before the user clicks them. Setting it to off prevents this behavior, which can be a minor privacy concern because DNS queries reveal which sites a user might visit.

Why X-DNS-Prefetch-Control Matters

DNS prefetching improves perceived performance by resolving domain names before they are needed. When a user hovers over or is likely to click a link, the browser pre-resolves the DNS for the target domain. However, this means DNS queries are sent for links the user may never actually click, leaking browsing intent to DNS resolvers.

For most websites, DNS prefetching is a net positive for user experience and the privacy concern is minor. However, for privacy-focused applications (like private messaging, healthcare portals, or anonymous whistleblowing platforms), disabling DNS prefetching prevents this information leakage.

The header's security impact is minimal compared to other headers like CSP and HSTS. It should be low priority in your security header implementation, addressed after the more impactful headers are in place.

How to Check

A security audit checks for the X-DNS-Prefetch-Control header. For most sites, either setting is acceptable. Privacy-sensitive applications should set it to "off". Performance-focused sites may prefer "on" or simply omit the header (prefetching is on by default).

Run a Security Audit

Frequently Asked Questions

Should I disable DNS prefetching?
For most websites, no. DNS prefetching improves performance for users. Only disable it on privacy-sensitive pages where the DNS queries for linked domains could reveal sensitive information about the user's activity.
Does disabling DNS prefetching hurt performance?
Slightly. Without prefetching, DNS resolution happens when the user actually clicks a link, adding a small delay (typically 20-100ms). For most users and sites, this is imperceptible. Use link rel=dns-prefetch for specific critical domains even with the header set to off.

Related Terms

Security Headers Overview Referrer-Policy Permissions-Policy HTTP Strict Transport Security Domain Name System
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.