Google experiments with DNS-over-HTTPS in Chrome

Following hot on Mozilla’s trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week.

Mozilla recently announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. This provides some privacy protections compared with regular DNS queries, although as Paul Ducklin explains in the Naked Security podcast, it is not without its issues:


DNS-over-HTTP section starts at 31’36”.
Click-and-drag on the soundwaves below to skip ahead in the podcast.

Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.

Nevertheless, Google clearly doesn’t want to be outdone. It published a blog post on Tuesday providing more detail on DoH functionality that it will include in Chrome 78.

Google is taking a slightly different approach to Mozilla, though. For one thing, it won’t change the user’s DNS provider. When Chrome makes a web request, it will check to see if that provider is on a list of DoH-friendly DNS services which Google says it has vetted for strong security and privacy. Only if it is on that list will it switch to DoH. This brings a significant benefit, according to the search and advertising giant:

By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work.

Right now, there are six providers in that list alongside Google itself: CleanBrowsing, Cloudflare (which is Mozilla’s DoH provider of choice), DNS.SB, OpenDNS, and IBM’s Quad9.

Google is making the service available on all Chrome-supported platforms with the exception of Linux and iOS. However, that doesn’t include managed Chrome deployments, which means that users of Chrome Enterprise and education customers are out for the time being. That seems to be its way of sidestepping the split-horizon problem that we outlined in our story about Mozilla’s DoH-by-default implementation earlier this week.

For now, the experiment will roll out to “a fraction” of Chrome users, although Google didn’t respond to questions about how they will be selected or where they are. If you’re one of them, you will be able to opt-out by disabling the flag, accessible in Chrome 78 by typing the following into your address bar: chrome://flags/#dns-over-https

Chrome 78 will enter beta sometime between 19 and 26 September 2019, and is due for a stable release on 22 October 2019.