“A rare opportunity to start from a clean and dependable slate”
Chrome 83, the latest release of a browser used by billions globally, will encrypt Domain Name System (DNS) requests — website look-ups — by default in a landmark move.
Google’s Chrome will follow Mozilla Firefox in making DNS-over-HTTPS (DoH) the default DNS setting for users, where their existing DNS providers support it, and offer manual configuration options for others. Chrome 83 started rolling out on May 19.
For the past 35 years DNS requests have been completely transparent to those serving them, even if they are serving HTTPS websites. This allows ISPs/governments to see what users are doing and block certain websites with comparative ease.
DNS-over-HTTPS in Chrome: Defaults to Check ISP’s Offering
Chrome will only make DoH its default setting if existing DNS providers offer the service. (Most Internet Service Providers, or ISPs, do not, although BT is among those to have started experimenting.) Chrome will let users choose alternatives if this is the case.
It was not immediately clear how much visibility/control users would have over the process: e.g. if a user’s existing ISP does offer DoH, how this will impact users who have set up local DNS filtering/precisely which enterprise rules will trigger its kill switch.
Policy makers have warned that widespread adoption of DoH by major browsers could disrupt their ability to block certain websites/track users’ internet activity. ISPs are understood to be trying to tackle that problem by trialling their own indigenous DoH offerings that marry the ability to encrypt requests, with the ability to filter websites.
BT in December told ISP Review that it was “currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security – DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.”
The company added: “We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers
Currently, DNS requests are entirely transparent to ISPs and anyone else sniffing a network — and can be used to serve fake domains. Anyone listening to packets on the network knows which website a user is attempting visit. (In the UK, this includes all ISPs, who are obliged to do so under counter-terrorism legislation.)
Google’s Chromium team said the “non-trivial” move would help “prevent attackers from observing what sites you visit or sending you to phishing websites” and “give the whole ecosystem a rare opportunity to start from a clean and dependable slate”
Chrome says it is adding a kill switch to support parental control and corporate IT administrators.
Chromium (Chrome’s engine) product manager Kenji Baheux said in a May 19, 2020 blog that Chrome will “disable Secure DNS if it detects a managed environment via the presence of one or more enterprise policies.”
He added: “We’ve also added new DNS-over-HTTPS enterprise policies to allow for a managed configuration of Secure DNS and encourage IT administrators to look into deploying DNS-over-HTTPS for their users.
The team behind the browser, which is used by billions globally, said they were baking in protections that made sure DOH didn’t break family controls by obfuscating DNS requests.
“Chrome maintains a list of DNS providers known to support DNS-over-HTTPS. Chrome uses this list to match the user’s current DNS service provider with that provider’s DNS-over-HTTPS service, if the provider offers one. By keeping the user’s chosen provider, we can preserve any extra services offered by the DNS service provider, such as family-safe filtering, and therefore avoid breaking user expectations.
“Furthermore, if there’s any hiccup with the DNS-over-HTTPS connection, Chrome will fall back to the regular DNS service of the user’s current provider by default, in order to avoid any disruption, while periodically retrying to secure the DNS communication.”
Critics had warned that the move could prove a major headache for corporate security teams, with its potential to obfuscate existing passive network detection used for intelligence, metrics, malware domains or data loss prevention (DLP) work.
DoH also appears to stymie URL logging in Sysmon; the Windows service to log system activity to the Windows event log.
Chrome’s Baheux added: “We… understand how intricate DNS is, which is why we’ve been and will continue to move carefully and transparently. As always, we’re open to feedback and welcome collaboration with stakeholders including ISPs, DNS service providers, and Online Child Safety advocates as we make further progress in securing DNS.”