Skip to content
Naked Security Naked Security

Google experiments with DNS-over-HTTPS in Chrome

Following hot on Mozilla's trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week.

Following hot on Mozilla’s trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week.

Mozilla recently announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. This provides some privacy protections compared with regular DNS queries, although as Paul Ducklin explains in the Naked Security podcast, it is not without its issues:


DNS-over-HTTP section starts at 31’36”.
Click-and-drag on the soundwaves below to skip ahead in the podcast.

Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.

Nevertheless, Google clearly doesn’t want to be outdone. It published a blog post on Tuesday providing more detail on DoH functionality that it will include in Chrome 78.

Google is taking a slightly different approach to Mozilla, though. For one thing, it won’t change the user’s DNS provider. When Chrome makes a web request, it will check to see if that provider is on a list of DoH-friendly DNS services which Google says it has vetted for strong security and privacy. Only if it is on that list will it switch to DoH. This brings a significant benefit, according to the search and advertising giant:

By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work.

Right now, there are six providers in that list alongside Google itself: CleanBrowsing, Cloudflare (which is Mozilla’s DoH provider of choice), DNS.SB, OpenDNS, and IBM’s Quad9.

Google is making the service available on all Chrome-supported platforms with the exception of Linux and iOS. However, that doesn’t include managed Chrome deployments, which means that users of Chrome Enterprise and education customers are out for the time being. That seems to be its way of sidestepping the split-horizon problem that we outlined in our story about Mozilla’s DoH-by-default implementation earlier this week.

For now, the experiment will roll out to “a fraction” of Chrome users, although Google didn’t respond to questions about how they will be selected or where they are. If you’re one of them, you will be able to opt-out by disabling the flag, accessible in Chrome 78 by typing the following into your address bar: chrome://flags/#dns-over-https

Chrome 78 will enter beta sometime between 19 and 26 September 2019, and is due for a stable release on 22 October 2019.


“with the exception of Linux” sooo….one of groups of people most wanting the feature?


I suspect that many of the people running Linux as a desktop OS will be c00l enough to run their own DNS-over-HTTPS or DNS-over-TLS forwarder locally so that all their DNS traffic leaves the computer encrypted, thus obviating the need for a browser-specific DNS hack. (And some of those will be c00l enough to run Firefox instead of Chromium instead of Chrome, and some of those will be c00l enough to run one of the BSDs instead of Linux :-)


how do we verify if DOH is active using Google DNS. Cloudfare offers to verify but how about Google ? is there a URL to verify?


spotted this
Update: Due to a last minute technical issue, we have postponed this experiment to Chrome 79.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!