This content is likely not relevant anymore. Try searching or browse recent questions.
DNS-over-HTTPS Setting 0 Recommended Answers 16 Replies 258 Upvotes
1 Recommended Answer
$0 Recommended Answers
Last edited 7/22/19
Hi all,

This is a heads up about our short term plans for DNS over HTTPS in Chrome (design doc) - please feel free to provide your comments there or on this blog post.

DNS over HTTPS is, as the name implies, a protocol to perform Domain Name System resolution over HTTPS, i.e. converting a site name into an IP address over an encrypted channel.

Most DNS resolution today occurs over an unencrypted channel. This is bad for privacy and for security reasons. Anyone who is on-path can eavesdrop on your browsing habits or even tamper with the resolution to have you navigate to a phishing website or an “access blocked” page for censored sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples).

This is a complex space and our short term plans won’t necessarily solve or mitigate all these issues but are nevertheless steps in the right direction.

Tentative plan
For the first milestone, we are considering an auto-upgrade approach. At a high level, here is how this would work:
  • Chrome will have a small (i.e. non-exhaustive) table to map non-DoH DNS servers to their equivalent DoH DNS servers. Note: this table is not finalized yet.
  • Per this table, if the system’s recursive resolver is known to support DoH, Chrome will upgrade to the DoH version of that resolver.  On some platforms, this may mean that where Chrome previously used the OS DNS resolution APIs, it now uses its own DNS implementation in order to implement DoH.
  • A group policy will be available so that Administrators can disable the feature as needed.
  • Ability to opt-out of the experiment via chrome://flags.

In other words, this would upgrade the protocol used for DNS resolution while keeping the user’s DNS provider unchanged. It’s also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering.

Tentative timeline
We are aiming for an experiment in Chrome 78 (branch cut: Sept 5th; estimated Stable: Oct 22nd) followed by a launch if everything goes well.
All Replies (16)
How is the family-safe filtering accomplished in this sense?
marked this as an answer
Maybe not he worst idea ever, but it's up there.
marked this as an answer
@George Zarebski DNS filtering is not recommended. Parental controls should be installed in the OS using official methods: iOS, Android, Windows/Xbox, and there are generally controls available for every platform. If you must use DNS filtering, you may disable DoH on the devices.

Note: not a Google employee.
marked this as an answer
Please provide a way to opt-out of DoH at the network level like Firefox is doing (see here). This is important for some network admins/sysadmins.
marked this as an answer
hunter ray, dns filtering is very much recommended. see https://dnsrpz.info/ for more information about how the world of network security, especially family (parental controls) and enterprise (corporate policy) makes use of this.
marked this as an answer
george zarebski, google is promising to use DoH to the system resolver if it's known to be supported. they have not said that they plan to do as mozilla does, and use a different (external, third party, uncontracted) resolver. so, your parental controls will still be in effect under google's announced plans.
marked this as an answer
spencertron, i think there is no cause for alarm here. google has stated that they will use DOH to use the system resolver if that resolver is known by google to support DOH. they will not, under the plans given, change where your DNS goes, merely how it gets there. the way to opt out of that is to prohibit off-net DNS other than that which comes from your own name servers. your own name servers will probably not be known by google to speak DOH. see also: https://www.darkreading.com/vulnerabilities---threats/benefits-of-dns-service-locality/a/d-id/1333088
marked this as an answer
to all, i have a lot of concerns about DoH, but google's approach as documented here (use the system's configured resolver, but speak DOH to that resolver if that resolver is known by google to speak DOH) is fundamentally respectful, unlike the mozilla approach (reset your default to point at cloudflare's DNS unless you stop them). DoH is cause for alarm! but google's approach as documented here seems least-insane.
marked this as an answer
As a enterprise customer, along with other regulated firms, we do deploy Google Chrome Enterprise and are aware that we will be able to control the settings via a GPO flag - DnsOverHttpsEnable. Two things, we come to mind.

First, we probably would prefer DoH off by default in our environment if Chrome Enterprise is installed in the near future for a period of time.

Second, we would like some type of network discovery mechanism to signal to Chrome and other DoH capable browsers (perhaps, some type of known URL to check based off the joined domain) to rely on our corporate DNS servers. Perhaps, not far into the future also allow discovery/publishing of internal corporate DoH servers when we make them available.
marked this as an answer
1 day
What is this
marked this as an answer
This question is locked and replying has been disabled.
Discard post? You will lose what you have written so far.
Write a reply
10 characters required
Failed to attach file, click here to try again.
Discard post?
You will lose what you have written so far.
Personal information found

We found the following personal information in your message:

This information will be visible to anyone who visits or subscribes to notifications for this post. Are you sure you want to continue?

A problem occurred. Please try again.
Create Reply
Edit Reply
Delete post?
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
Report abuse
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
This reply is no longer available.
You'll receive email notifications for new posts at
Unable to delete question.
Unable to update vote.
Unable to update subscription.
You have been unsubscribed
Unable to delete reply.
Removed from Answers
Marked as Recommended Answer
Removed recommendation
Unable to update reply.
Unable to update vote.
Thank you. Your response was recorded.
Unable to undo vote.
Thank you. This reply will now display in the answers section.
Link copied
Unable to lock
Unable to unlock
Unable to pin
Unable to unpin
Unable to mark
Reported as off topic