Security news that informs and inspires

Google Makes DNS Over HTTPS Default in Chrome


With the release of Chrome 83 this week, Google has introduced a new Secure DNS feature that implements DNS over HTTPS, ensuring that users’ DNS queries are encrypted from the browser to the DNS provider.

Turning on DNS over HTTPS (DoH) in the browser gives users a key level of protection against network-level surveillance of their online activities. Under normal circumstances, the queries that an individual sends to her DNS provider are sent in plaintext and are therefore readable by the provider itself and any party that might have privileged access to the network traffic. For most individuals, their DNS provider is their ISP, so using unencrypted DNS links allows the ISP to get a very clear picture of any user’s activities. DoH sends those queries over an HTTPS connection instead, protecting them from eavesdropping.

Google has been working on this feature in Chrome for quite a while, as has Mozilla, which began rolling out DoH in Firefox in February.

“The introduction of DNS-over-HTTPS gives the whole ecosystem a rare opportunity to start from a clean and dependable slate, making it easier to pursue further enhancements relying on DNS as a delivery mechanism. Thus far, the unencrypted nature of DNS has meant that features that extend DNS could randomly fail due to causes such as network equipment that may drop or modify newly introduced DNS fields,” Kenji Baheux, Chrome product manager, said in a post on the new feature.

“As DNS-over-HTTPS grows, it will put this concern aside because it benefits from the aforementioned HTTPS properties and sets a new reliable baseline to build upon.”

The introduction of DoH will be a big boon for most individual users, but for enterprises the situation will likely be quite different. Many enterprises that use Chrome as the default browser do so in a managed environment, meaning that administrators have control over what versions employees use and what extensions they can install, for example. But many enterprises also use security products that perform outbound traffic inspection to look for connections to malicious domains or prohibited content, something that won’t be possible with DoH. As a result, Google has added a feature that enables Chrome to disable DoH in enterprise environments.

“If you are an IT administrator, Chrome will disable Secure DNS if it detects a managed environment via the presence of one or more enterprise policies. We’ve also added new DNS-over-HTTPS enterprise policies to allow for a managed configuration of Secure DNS and encourage IT administrators to look into deploying DNS-over-HTTPS for their users,” Baheux said.

Not all DNS providers support DoH right now, but Chrome contains a list of providers that do and will automatically try to keep a user’s provider the same if the provider offers DoH.

“By keeping the user’s chosen provider, we can preserve any extra services offered by the DNS service provider, such as family-safe filtering, and therefore avoid breaking user expectations. Furthermore, if there’s any hiccup with the DNS-over-HTTPS connection, Chrome will fall back to the regular DNS service of the user’s current provider by default, in order to avoid any disruption, while periodically retrying to secure the DNS communication,” Baheux said.