Google started the rollout of DNS over HTTPS yesterday in Chrome Stable with the release of Chrome 83 Stable to the public.
The company calls it Secure DNS. DNS lookups are unencrypted by default; this means that DNS may be used to track the sites that an Internet user opens. Additionally, since it is unencrypted, bad actors may exploit it to manipulate or tamper with the connection, e.g. for phishing purposes.
DNS over HTTPS attempts to address this by encrypting DNS lookups. It uses HTTPS for that and that means that these lookups are more secure and private. DNS lookups cannot be used for monitoring a user's activity on the Internet anymore and bad actors cannot manipulate DNS responses for attacks.
Tip: Recent Windows 10 Insider Builds support DNS over HTTPs on the operating system level. All applications with Internet connectivity benefit from this if it is enabled.
Google made the decision to implement DNS over HTTPS in Chrome. The company decided that it would not interfere with the existing DNS setup of a system. Instead, it decided that it would use DNS over HTTPS in Chrome if the DNS servers that are set on the system support it.
In other words: the DNS settings are not changed. Another benefit of the approach is that certain add-ons, e.g. family safety protections or malware filtering, remain active.
Chrome will fall back to regular (unencrypted) DNS if issues are noticed during lookups. The browser won't use Secure DNS at all if parental controls are active on Windows systems or if certain Enterprise policies are set. New policies are available to enable DNS over HTTPS in managed environments.
Two of the main policies are:
DnsOverHttpsMode -- Controls the mode of DNS-over-HTTPS (Chrome 78 and newer)
off = Disable DNS-over-HTTPS
automatic = Enable DNS-over-HTTPS with insecure fallback
secure = Enable DNS-over-HTTPS without insecure fallback
DnsOverHttpsTemplates -- Specify URI template of desired DNS-over-HTTPS resolver (Chrome 80 and newer)
The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
If the DnsOverHttpsMode is set to "secure" then this policy must be set and not empty.
If the DnsOverHttpsMode is set to "automatic" and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
If the URI template contains a dns variable, requests to the resolver will use GET; otherwise requests will use POST.
Chrome users may enable DNS over HTTPS in Chrome right away. The rollout may take weeks or even months to reach certain devices. If you don't want to wait that long, do the following to enable the feature in Chrome right away (restrictions still apply):
- Load chrome://flags/#dns-over-https in the browser's address bar.
- Set the experimental flag to Enabled.
- Restart Chrome
Note that you may need to change the DNS servers on the device as they need to support Secure DNS. Google DNS, Cloudflare, Quad9, and Cleanbrowsing all support Secure DNS.
Tip: you can use Cloudflare's Browser Experience Security Check to test if Secure DNS is enabled in the browser.
Google plans to introduce better preferences in the browser's Settings application. I checked Chrome 83 Stable and the latest Canary version and both did not have the updated preferences page yet.
You need to load chrome://settings/security in the web browser's address bar to access it. There you find a new option to enable or disable Secure DNS.
Chrome users who don't want to use it in the browser may turn it off right then and there once it becomes available.
Google plans to add an option to set a different DNS provider in the Settings; this should make it easier for users who have troubles modifying DNS settings on the network level.
Secure DNS will be made available on Chrome OS, Windows and Mac OS "progressively" according to Google. It will also come to Chrome on Linux and Android "soon".
Now You: Do you use DNS over HTTPs already on your system?