Google has announced that they would soon be performing a trial of utilizing DNS-over-HTTPS (DoH) in the Google Chrome browser. This experiment will be conducted in Chrome 78 and will attempt to upgrade a user’s DNS server to a corresponding DoH server, and if available, use that for DNS resolution.
For those unfamiliar with DoH, it allows DNS resolution to be conducted over encrypted HTTPS connections rather than through the normal plain text DNS lookups.
As some countries and ISPs block connection to sites by monitoring DNS traffic, DoH will allow users to bypass censorship, possible spoofing attacks, and to increase privacy as their DNS requests cannot be as easily monitored.
“As the name implies, the idea is to bring the key security and privacy benefits of HTTPS to DNS, which is how your browser is able to determine which server is hosting a given website. For example, when connected on a public WiFi, DoH would prevent other WiFi users from seeing which websites you visit, as well as prevent potential spoofing or pharming attacks.”
Experiment conducted in Chrome 78
For a small group of users running Chrome 78, which is the upcoming Beta build, Google will be running an experiment that checks if their DNS provider is part of a small list of known DoH-compatible providers. If a user’s DNS provider is part of the list, Chrome will automatically upgrade to that provider’s DoH server to perform DNS resolution.
On the other hand, if the user’s DNS provider is not part of list, they will fallback to their normal DNS resolution.
The list of DNS providers that will be upgraded as part of this test include:
Cleanbrowsing Cloudflare DNS.SB Google OpenDNS Quad9
This experiment will run on all supported platforms other than Linux and iOS. On Android 9 and later, if a user has configured a DNS-over-TLS provider, Chrome will use that instead and only use the ones from their list if there is an error.
By only upgrading DNS Resolution to DoH if the user’s current DNS provider is supported, Google feels that the users DNS resolution experience will stay the same.
By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work. If DoH fails, Chrome will revert to the provider’s regular DNS service. Opting-out of the experiment will be possible from Chrome 78 by disabling the flag at chrome://flags/#dns-over-https.
Mozilla, though, has different plans, which are being met with criticism.
Mozilla DoH plan receives criticism
Mozilla announced last week that they would be enabling DoH by default in the Firefox browser, but instead of trying to upgrade to a DoH server operated by the user’s DNS provider, they will use Cloudflare’s DoH servers instead.
This push to use Cloudflare’s DoH server rather than one from a user’s existing DNS provider has met with criticism by Linux distribution maintainers and network administrators.
For example, OpenBSD developer Peter Hessler tweeted that OpenBSD has disabled DoH in their Firefox package in the current and future releases as “sending all DNS traffic to Cloudflare by default is not a good idea.”
Kristian Köhntopp, a senior scalability engineer, stated that Mozilla is about to “break DNS” because Cloudflare will be used for DNS resolution over what was assigned by system administrator. This will leak the names of all the websites you visit in a corporate environment to Cloudflare.
For those who do not want to use the default DoH Cloudflare server in Firefox, you can go to Options, then Network Settings, and then change the provider under Use Provider to a custom one.
For many users, they will be unaware of any changes and will use Cloudflare’s DoH server by default.
While this may not be a bad thing as they will be using encrypted DNS resolution, data is the Internet’s currency, and Cloudflare will be getting a lot of data.