With the release of Chrome 78, which is scheduled for October this year, Google will begin testing the protocol DNS-over-HTTPS (DoH). Let me remind you that earlier this week it became known that very soon DoH support will be enabled in Firefox by default for US users.
As we have already written more than once, the whole essence of the new protocol is reflected in its name: it sends DNS queries to special DoH-compatible DNS servers via an encrypted HTTPS connection, but does not use classic unencrypted UDP queries. By default, Firefox supports relaying encrypted DoH requests through the Cloudflare resolver, but users can change it to any other. In addition, DoH works at the application level, and not at the OS level. Essentially, it hides DNS queries inside a normal stream of encrypted and secure data.
As a result, DNS queries are “invisible” to third-party observers (such as Internet providers, local solutions for parental control, antivirus software, corporate firewalls, etc.) and DoH DNS communications are practically indistinguishable from other HTTPS traffic.
In terms of implementing DoH in its browser, Google lags behind colleagues from Mozilla, since the work on implementing DoH in Chrome began only in May of this year (while Mozilla has been testing since 2017). The first public test developers Google planned in October, when the release of Chrome 78.
Chrome 78 will automatically switch to DoH when certain conditions are met. So, if a user uses regular DNS servers of certain companies that have alternative resolvers compatible with DoH, Chrome will forward DNS queries with these DoH-compatible resolvers, instead of regular DNS servers. It is reported that switching to DoH instead of the usual DNS will occur only for a few DNS providers, including Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS and Quad9.
It is reported that the experiment will not affect users who use DNS providers that are not on the list. In addition, if a failure occurs and the DoH resolver does not respond, Chrome will automatically switch to using normal DNS.
This is the main difference between the Google approach and the Mozilla approach. So, in Firefox, encrypted DoH requests are automatically relayed through the Cloudflare resolver, but users can change it to any other (due to the use of Cloudflare by default, Mozilla has already been criticized). Google, in turn, offers DoH resolvers to its partners, DNS providers. Interestingly, using DoH from the same providers helps solve the problem of traffic filtering. So, in this case, the DNS filters and parental controls set at the DNS provider level will remain unchanged when switching to the DoH resolver of the same provider occurs.
Those who don’t want to take part in the upcoming Google experiment can simply use a DNS provider that is not in the above list (which is what most Chrome users do), or you can disable DoH in the settings through chrome: // flags / # dns- over-https.