Name Resolution Policy Table (NRPT) Support

Brass Contributor

Does / will Edge Chromium support reading of NRPT tables? If not, is this on the roadmap?

7 Replies

@Dave_Lee - Chromium detects whether any NRPT rules have been configured and if so takes that into account in a few places, but it does not, itself, utilize the NRPT tables.

 

However, I'm interested in learning more about your scenario. On Windows, by default, Chromium uses the system's DNS resolver (instead of using its own built-in resolver) and that means that the NRPT tables should be taken into account. If you're seeing something else, I'd be interested in learning more.

 

[In Edge, you can see the details of DNS resolutions for the current process by visiting edge://histograms/Net.DNS.TotalTimeTyped in the address bar. If you see a Net.DNS.TotalTimeTyped.System histogram, that means that the system resolver is getting used. IF you see instead Net.DNS.TotalTimeTyped.Async that means that the built-in (non-system) resolver is getting used.]

@Eric_Lawrence  Thanks for the response. We are big users of Direct Access, 1000+ machines, and in order to send traffic for specific sites / domains down through the DA tunnel, we're utilising "Selective Tunnelling" which requires us to manipulate our NRPT tables. Here is an article on the subject https://directaccess.richardhicks.com/2018/05/14/directaccess-selective-tunneling/

 

We cannot use "Force Tunnelling" as we use S4B voice which cannot go through the DA tunnel.

 

At the moment, only IE 11 and old Edge read the NRPT tables. Chrome, Firefox and Edge Chromium ignore the entries we've made.

 

Here is the scenario - We have many hosted services that are locked down to our two corporate, public facing IP's. Any attempt to access these services over other connections will not work, i.e. on DA when working remotely. Via the use of NRPT table manipulation and Selective Tunnelling, we can make these services available to our remote users as we force the traffic back down the DA tunnel and out of our corporate DIA's.

Any thoughts on this @Eric_Lawrence 

 

I think this ability will be needed by DA and Always On users.

@Elliot Kirk Can you help answer this one? 

Still hoping for further clarification on this.

@Dave_Lee At present, Chromium-based browsers do not make use of name-resolution policy tables for determining the proxy. Investigations into changing that remain underway.


NRPT rules that govern DNS lookups (e.g. getHostByName()) continue to impact those resolutions as long as Chrome is set to use the system DNS resolver (as it is by default on Windows).

 

Note that you can direct the new Edge to use the "system" Proxy resolver instead of the one built into the browser, which means that NRPT should be taken into account. To do so, launch Edge thusly:

 

   msedge.exe --winhttp-proxy-resolver

I would be interested to learn if this helps in your scenario.




Really appreciate this response @Eric_Lawrence 

 

I'll be sure to post back our findings.