
Google rolls out DNS-over-HTTPS support in Chrome 83 - samizdis
https://www.theregister.co.uk/2020/05/20/google_chrome_83/
======
nickcw
For those of you worrying about what this will do to parental controls, I did
a little bit of research.

In this blog the chromium team say:

[https://blog.chromium.org/2019/10/addressing-some-
misconcept...](https://blog.chromium.org/2019/10/addressing-some-
misconceptions-about.html)

> The first claim is that Google is going to redirect user DNS traffic to
> Google's own DNS or another DoH-compliant DNS provider. That is incorrect.
> Because we believe in user choice and user control, we have no plans to
> force users to change their DNS provider. Today, there are many independent
> DNS providers, although ISPs serve approximately 97% of user DNS needs. As
> long as these service providers keep catering to user needs and concerns, it
> will remain a diverse ecosystem. We’re simply enabling support in Chrome for
> secure DoH connections if a user’s DNS provider of choice offers it. Chrome
> will check if the user’s DNS provider is among a list of participating DoH-
> compatible providers and if so, it will enable DoH. If the DNS provider is
> not on the list, Chrome won’t enable DoH and will continue to operate as it
> does today. As DoH adoption increases, we expect to see the number of DoH-
> enabled DNS providers grow.

This is re-iterated in the next paragraph

> The second claim we’ve seen is that the secure DoH connection will limit the
> family-safe content controls offered by some ISPs. In fact, any existing
> content controls of your DNS provider, including any protections for
> children, should remain active. DoH secures the URL data only while it’s in
> transit between your browser and the DNS provider, so your provider’s
> malware protection and parental control features will continue to work as
> they have in the past.

So this isn't going to break parental controls by default...

...unlike Firefox's proposed scheme which requires action by the DNS
providers.

[https://support.mozilla.org/en-US/kb/configuring-networks-
di...](https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-
over-https)

~~~
snazz
Using DNS for parental controls is likely not very effective except for very
young children. Most devices that you would give to children (anything from
Apple, most Android devices, Chromebooks, Windows) offer parental controls
that aren't as easy to circumvent and work on networks other than your home
network. Of course, it might be good to use both as a sort of defense in
depth.

~~~
cmrdporcupine
Parental controls on chromebooks are awful. Family Link itself is a badly put
together product, but its claim to support ChromeOS is woeful, half of the
stuff doesn't work, and mysteriously disappears from the app when the device
in question is a chromebook.

They haven't done a good job. FWIW I work for Google, mean no offense to the
team that works on this, but it has all sorts of problems, including service
reliability. My wife is taking UX design courses and one of her final course
projects was a multi page paper breaking down a bunch of our issues with it
:-)

We've been down this road for months. Issues at home with mental health
damaging content being accessed repeatedly, and I ended up signing up for
OpenDNS; problem solved [for now].

~~~
nolroz
I've been extremely frustrated with the ux and functionality of family link.

------
dijit
DoH is such a weird concept to me. It feels like HTTP is a pretty poor
protocol to be eating the world.

I can easily imagine that the resources being spent on DoH are many orders of
magnitude more than was spent on actually fixing or updating the DNS protocol.

This is not in defence of the current DNS system, I'm just sad that the only
way we can think to fix DNS is to make it not DNS, but some form of HTTP name
resolution.

~~~
MaxBarraclough
There's value in solving the security challenges of HTTPS _once_ , and to then
resist reinventing the wheel elsewhere. Using it for DNS doesn't strike me as
a particularly bad case of shoehorning.

What specifically don't you like about the use of HTTPS? Would you prefer DNS-
over-TLS? Apparently [0] that's an option too. I don't think it would be
possible to be quite as lightweight as the plain old UDP-based DNS protocol
while giving the desired security properties.

[0]
[https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)

~~~
dijit
I specifically mentioned "HTTP" and not "HTTPS" because, while there are some
security extension headers in http; the majority of HTTPS's security is a
solved-once situation already in the form of TLS.

The reason I don't like HTTP for all purposes is because, while it has proven
to be expandable, I feel like we're going to have this "oh shit" moment in 10
years where we realise all the cruft we've added to it and how it's bogging
down otherwise simple communication.

DNS was designed to be incredibly low latency, QUIC is a response to the high
latency of TCP for HTTP in general; but then you're still sending a fair
amount of content that is completely unneeded.

A few dozen bytes here and there don't matter much, but that mentality is why
computers today have worse input lag than computers 30 years ago, despite
being many hundreds of times faster.

~~~
swiley
DoH does _not_ fix the security issues with DNS. My ISP hijacks it and sends
you to a page full of ads when you visit a missing domain just like older DNS.
The browser vendors even provide explicit instructions for this.

Literally all this does is break things.

~~~
MaxBarraclough
How does your ISP hijack an HTTPS connection? Are you using your ISP's DNS
service?

~~~
swiley
They don’t hijack https they hijack DoH. The point behind this is to protect
the average user but they’re just going to get the recursive resolver from
dhcp. People who bother to use something are the same ones who will tunnel
traffic or run their own resolver.

~~~
MaxBarraclough
> They don’t hijack https they hijack DoH

DoH stands for DNS-over-HTTPS. You cannot hijack DoH without hijacking an
HTTPS connection.

> they’re just going to get the recursive resolver from dhcp

In answer to my earlier question then, you're using your ISP's DoH DNS
service, correct? If that's the case, there's no hijacking going on.

> People who bother to use something are the same ones who will tunnel traffic
> or run their own resolver.

This is the reason Firefox went with CloudFlare's DoH. Resisting ISPs'
bullshit is much of the point.

~~~
withinboredom
> You cannot hijack DoH without hijacking an HTTPS connection.

Not true. An ISP can always reroute packets where ever they want. Want to
reroute from a trusted resolver to your own, which is bootstrapped over
regular DNS? No problem. Client checks it? No problem, it will fallback to
regular DNS.

~~~
valenciarose
Unless you have trusted a CA from your ISP, they won't have a valid cert. They
can divert the packETS, but their response will be invalid (fail when the
client checks the cert).

~~~
MaxBarraclough
I addressed this in my response. You're right that redirection does little
more than just blocking the traffic, on account of the certificate check, but
if the attacker can force a fallback to regular DNS, that's a problem.

------
DavyJone
Isnt this something the OS should handle and Chrome just uses the OS
interfaces for this?

~~~
majke
Isn't TLS 1.3 something OS should provide?

Isn't QUIC something an OS should provide?

Isn't the OS responsible for preventing antivirus software installing insecure
browser plugins?

Isn't the OS responsible for process sandboxing?

Isn't the OS responsible for secure font rendering?

Isn't the OS responsible for shipping with decent optimized image and movie
decoding libraries?

The innovation must be pushed somewhere. These days it's being pushed by the
browser vendors and not OS vendors.

~~~
DavyJone
Yep and not saying its entirely wrong, but check my reply to asdf-asdf-asdf.

------
donatj
The subsequent SSL requests still include the host in clear text, so while a
move in the right direction, does little to stop request sniffing.

~~~
kreetx
Right now yes, but when Encrypted SNI is adopted then not anymore.

It seems that when DoH and ESNI become the defaults there won't be much
sniffing going on? (Apart from looking at the IPs of course.)

~~~
Avamander
Star or thumbs up these issues if you want ESNI to be prioritized more:

[https://bugs.chromium.org/p/chromium/issues/detail?id=908132](https://bugs.chromium.org/p/chromium/issues/detail?id=908132)

[https://github.com/openssl/openssl/issues/7482](https://github.com/openssl/openssl/issues/7482)

------
sasasassy
I wonder in what new ways will ISPs start blocking illegal websites.

~~~
kashug
Isn't the most common way to block "illegal websites" just to block it on the
DNS owned by the ISP? (which is the one you will automatically use unless you
configure something else). And just making their domain point to some website
saying the site is blocked. Afaik this will still work. And the normal
workaround of just changing to a different DNS should work aswell.

Is sniffing of traffic common in other countries?

~~~
sasasassy
I think that this change would mean that, by default, the DNS server used will
be specified by Google/Chrome team. If the DNS server were still my router
then there's no point to this really.

~~~
dingaling
> the DNS server used will be specified by Google/Chrome team

I don't think that any oppressive regime is going to have any qualms about
routing 8.8.8.8 to its own server, or just blocking it. So you use the
national DNS or get nothing.

------
csdreamer7
Does this ignore the os hostfile like Firefox's DoH does?

------
foodscraps
I use PiHole with a DoH upstream. I want all devices on my network to use my
DNS server. Mozilla's implementation is easily managed using their canary
domain "use-application-dns.net" but Google doesn't have this option. I do not
want any queries sent to Google. It is not feasible to manage chrome flags on
every device, especially mobiles. Does anyone know if Chrome will be using
their two public IP's, 8.8.8.8 and 8.8.4.4 for this new DoH service? If that
is the case this will be easy to block at the network level. Thanks.

~~~
Kalium
Chrome Enterprise (which, contrary to what the name might suggest, is not a
paid enterprise offering) offers management tooling for managing flags across
many devices. Here's the flag for DoH: [https://cloud.google.com/docs/chrome-
enterprise/policies/?po...](https://cloud.google.com/docs/chrome-
enterprise/policies/?policy=DnsOverHttpsMode)

~~~
propogandist
but Chrome Enterprise means it has to connect and phone home to Google all the
time anyway, no? That defeats any potential benefit of having more control
over the browser.

Given this is a "free" offering, the data being mined finances this service.

~~~
Kalium
If parent wants to manage Chrome configuration across N devices, Chrome
Enterprise is a good tool for the job. They may or may not care if their data
is on Google servers or not. They might consider these two items to be two
entirely distinct and different benefits.

If parent wants to avoid having any of their data cross Google machines, you
are completely correct that Chrome is the wrong tool for the job.

------
ancorevard
Is this a scheme from adcompanies like Google to circumvent Pi-hole?

~~~
jpalomaki
Maybe not. Dns over http makes it easy to use for example
[http://nextdns.io](http://nextdns.io) which is nice alternative for Pi-hole
(and more convenient IMHO).

I think this is mostly against ISPs who would like to mess with/redirect your
traffic (for example show their own page for mistyped URLs).

------
newman314
FWIW, this seems to be the GPO that controls DoH

[https://cloud.google.com/docs/chrome-
enterprise/policies/?po...](https://cloud.google.com/docs/chrome-
enterprise/policies/?policy=DnsOverHttpsMode)

I was looking for this as I want to explicitly control when I choose to enable
DoH.

------
ck2
it still obeys HOSTS right? have to assume that's a must

eta: oh interesting, at some point I turned on "managed" to prevent it from
password cloud saving or some other nuisance and now I get this:

    
    
          Use secure DNS
              This setting is disabled on managed browsers

------
someonehere
So if I wanted to keep analytic data of where my users are going, should I set
up my own office DoH server and forward requests to an external DoH? Would I
be able to then use our in house DoH and get analytics from that?

------
talliedthoughts
Running version 83.0.4103.61 but I don't see the DoH-related entries in Chrome
Settings. Is this still in a phased rollout?

~~~
bfoks
Option is visible under chrome://flags/#dns-over-https flag. However on Ubuntu
18.04 I've the message: "Not available on your platform.".

------
Dolores12
How will that affect things like pi-hole?

~~~
dogma1138
I have Pi-Hole configured to use DoT for it’s outgoing DNS requests in a home
network with a DNS server you trust using DoT internally is arguably less
important.

I’ll be looking to see if what configuration options are available and if I
can set up a DoT server on the Pi-Hole.

Ideally I would want at least the ability to set DoT on/off by default based
on the network I’m using so if it’s the home network I don’t care but all
other networks I would like to have DoT as the default option.

It would also be interesting to see if there is a default fallback unto
standard DNS or not.

~~~
ajphdiv
Setting up recursive dns with unbound on the pi-hole

[https://docs.pi-hole.net/guides/unbound/](https://docs.pi-
hole.net/guides/unbound/)

------
dekhn
i'd rather have https over dns, to deal with wifi portals.

------
jgaa
So, then google get to decice what web sites that even exist in your universe.
Nice played.

~~~
detaro
Chrome checks if the DNS server configured supports DoH, and if yes uses DoH
to talk to it. How exactly does that mean that

> _google get to decice what web sites that even exist in your universe._

