How to enable DNS-over-HTTPS (DoH)
Contents
What is DoH
DoH IETF RFC8484 allows browser to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. DoH doesn’t encrypt DNS requests. That’s a different protocol, namely DNS-over-TLS, aka DoT.
By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user’s traffic.
Mozilla has already rolled out support for the DoH protocol a few years back. Currently, enabling DoH support in Firefox is as easy as pushing a few buttons.
On the other hand, enabling DoH in Chrome isn’t as easy, as Google is currently a little bit behind with supporting the protocol. DoH works just fine in Chrome, but there’s no user interface for enabling or configuring it.
Enabling and disabling DNS-over-HTTPS in Chrome
Before Chrome 78
To enable DoH support in Chrome, users would have to use a so-called command-line argument (or command-line flag), which is a set of additional instructions that are passed to the Chrome executable at start-up, to enable in-dev features.Chrome 78 enables opportunistic DoH if the system resolver address matches one of the hard-coded DoH providers (source code change). This experiment is enabled for all platforms except Linux and iOS, and excludes enterprise deployments by default.
Find your Chrome shortcut. This may be on your taskbar, desktop, start menu, or somewhere else on your file system.
Right-click on the Chrome shortcut and select the Properties option.
In the Target field, add the following text at the end of the shortcut path and hit Save.Source
–enable-features=“dns-over-https<DoHTrial” –force-fieldtrials=“DoHTrial/Group1” –force-fieldtrial-params=“DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST
The above text will configure Chrome to use the Cloudflare DoH server. Users can select any other DoH server from this list.
If Chrome is already running, restart it. Otherwise, start Chrome.
To test if DoH support is working in Chrome, access https://1.1.1.1/help or https://www.cloudflare.com/ssl/encrypted-sni/. On the right of “Using DNS over HTTPS (DoH)” the site should return “Yes.”
Note:Chrome 78 enables opportunistic DoH if the system resolver address matches one of the hard-coded DoH providers (source code change). This experiment is enabled for all platforms except Linux and iOS, and excludes enterprise deployments by default.
As of Chrome 78,later
its DoH implementation’s as follows. If your DNS servers are set to Google DNS, then Chrome will activate Google’s DoH resolver (https://dns.google.com/dns-query). For users of CloudFlare DNS it will activate the appropriate DoH resolver (https://cloudflare-dns.com/dns-query).
There is a flag, chrome://flags/#dns-over-https, that can be used to change how DoH works in Google Chrome.
To Enable DNS over HTTPS in Chrome (DoH),
Open Google Chrome.
Type the following in the address bar:
chrome://flags/#dns-over-https.Select Enabled from the drop-down list next to the Secure DNS lookups option
Relaunch the browser when prompted.
Enabling and disabling DNS-over-HTTPS in Firefox
Click the menu button
Menu and choose Options.In the General panel, scroll down to Network Settings and click the Settings… button.
In the dialog box that opens, scroll down to Enable DNS over HTTPS.
On: Select the Enable DNS over HTTPS checkbox. Select a provider or set up a custom provider.
Off: Deselect the Enable DNS over HTTPS checkbox.
- Click OK to save your changes and close the window.
Reference:
Author Canary
LastMod December 22, 2019