Google to run DNS-over-HTTPS (DoH) experiment in Chrome

Google has announced plans to officially test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year.

The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53.

This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users’ browsing histories by recording and looking at their unencrypted DNS data.

The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month. If Mozilla’s plan goes as expected, the browser maker hopes to have the feature enabled by default for all US users by next year.

Google’s DoH plan

Google’s DoH plan differs because the browser maker had fallen behind in supporting this new protocol. Firefox has had DoH support since last year, while Chrome devs only added it in May this year.

While Firefox has run countless DoH tests already, Google is only now starting to test the two-year-old protocol. Google’s first public test is scheduled for October 22, when Google will release Chrome 78.

In a support document published yesterday, Google said that Chrome 78 would automatically switch to using DoH instead of DNS when certain criteria is met.

If a Chrome user is using normal DNS servers from certain companies that also run alternative DoH-compatible DNS resolvers then Chrome will send DNS requests to the DoH-compatible DNS resolvers instead of the normal DNS servers.

For this initial test, Google said it would switch to DoH instead of regular DNS only for a few DNS providers, and not all. The list of supported DNS providers includes Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, and Quad9.

For example, if a user is using DNS servers from Cloudflare for normal DNS requests, Chrome will automatically send DNS requests to Cloudflare’s alternative DoH-compatible DNS resolver instead.

“The providers included in the list were selected for their strong stance on privacy and security, as well as the readiness of their DoH services, and also agreed to participate in the experiment,” said Kenji Baheux, Chrome Product Manager.

If DoH requests fail, Chrome falls back on normal DNS

Users who use DNS providers not included on this list won’t be included in Google’s DoH experiment.

If the switch fails or the DoH resolver doesn’t answer in a timely manner, Chrome will automatically switch back to using the classic DNS resolver service.

“The goals of this experiment are to validate our implementation and to evaluate the performance impact,” Baheux said.

“Our experiment will run on all supported platforms (with the exception of Linux and iOS) for a fraction of Chrome users. On Android 9 and above, if the user has specified a DNS-over-TLS provider in the private DNS settings, Chrome may use the associated DoH provider, and will fallback to the system private DNS upon error.”

The DNS-over-TLS protocol mentioned by Baheux works by encrypting the actual DNS traffic sent on port 53, rather than redirecting it on port 443. It’s a protocol considered superior to DoH; however, supporting it is a rather complicated matter for the time being.

Google’s plan for supporting DoH is completely opposite to Mozilla’s implementation. Currently, Mozilla is turning DoH support by funneling all Firefox traffic through Cloudflare servers by default. Firefox users can change this setting to use custom DoH DNS resolvers, but the browser maker has come under criticism for using Cloudflare as a default.

Google’s decision to only switch DNS servers for their DoH counterparts offered by the same DNS providers should quench any discussions that Google is pouring a large chunk of internet DNS traffic towards one provider only.

Furthermore, there is also another benefit. Google said that by replacing DNS resolvers with DoH alternatives from the same providers, this way, any DNS-based filters and parental controls set in place at the DNS provider’s level will remain intact. As DoH support will expand later down the road to also include DNS servers provided by internet service providers (ISPs), this “same provider switching” mechanism will prevent DoH from bypassing DNS-based filters set up at the ISP levels, sometimes put up to prevent access to child abuse content or legally mandated by country-level blocklists.

How to (not) participate

If users don’t want to be included in the Chrome DoH experiment, they can use a DNS provider that’s not on Google’s list (which most of the Chrome userbase already does), or they can disable DoH support by modifying the chrome://flags/#dns-over-https flag.

If they want to participate in the Chrome DoH experiment, they should configure their operating system to use DNS servers from the DNS providers listed above.

If users want to enable DoH right now and don’t want to wait until October, the only way to use DoH in Chrome is to manually enable it by a complicated process that involves adding a command-line argument to the Chrome executable shortcut, as detailed here.