Web Browsers implementation of DNS over HTTPS TLS
Immediately after Mozilla announced its plan to soon enable ‘DNS over HTTPS’ (DoH) by default for Firefox users in the United States, Google today says it is planning an experiment with the privacy-focused technology in its upcoming Chrome 78.
Under development since 2017, ‘DNS over HTTPS’ performs DNS lookups—finding the server IP address of a certain domain name—over an encrypted HTTPS connection to a DNS server, rather than sending DNS queries in plaintext.
The protocol that sends DNS queries over secure HTTPS connections has specifically been designed to prevent miscreants from interfering with domain name lookups, eventually stopping network observers, including your ISPs and attackers, from figuring out what sites you visit.
Though the privacy-focused technology is also helpful in preventing attackers from redirecting unsuspecting visitors to phishing and malware sites, DNS over HTTPS could also bring its own new challenges to the enterprise security solutions by making it difficult to monitor network traffic for malicious activities.
For the same reason, two months ago, the UK Internet Services Providers’ Association (ISPA) nominated Mozilla for “Internet villain of the year” award after the company added support for DoH protocol in its Firefox browser that breaks DNS-based content filters.
However, it should be noted that Firefox by default sets DoH server to Cloudflare and the setting needs to be changed manually, for which Mozilla has been criticized, whereas Google’s implementation only upgrades to the equivalent DoH service from the same provider that a user is using.
Enabling ‘DNS over HTTPS’ in Chrome 78
In a blog post published today, Google said the company will add its implementation of ‘DNS over HTTPS’ to the upcoming Chrome 78, which is due for beta release in the next two weeks, and will enable the feature for a fraction of users as an early-experiment,
The experimental feature will automatically upgrade the DNS provider to the equivalent DoH service from the same provider if the user’s current DNS provider is part of the list of known DoH-compatible providers. If not in the list, Chrome will continue to operate as it does today.
“In other words, this would upgrade the protocol used for DNS resolution while keeping the user’s DNS provider unchanged. It’s also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering,” Google says.
Chrome 78 users who want to manually opt-in or opt-out of the experiment can change the flag settings at chrome://flags/#dns-over-https.
Chrome Compatible’ DNS over HTTPS’ Providers
Google says it has selected some DNS providers for “their strong stance on security and privacy, as well as the readiness of their DoH services” and their agreement to participate in the test. The list of providers currently include:
The experiment will run on all platforms for Chrome 78 users except Linux and iOS, with the goals to validate the company’s “implementation and to evaluate the performance impact.”
On Android 9 and later, if users have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH instead, but if an error occurred, the browser would fall back to the DoT setting.
For those unaware, though DoH and DoT are separate standards for encrypting DNS queries, the concept of both is the same.
Swati Khandelwal