Rolling in DoH: Chrome 78 to experiment with DNS-over-HTTPS – hot on the heels of Firefox

Google promises it won't override your choice of DNS provider

Only days after Mozilla said it plans to make DNS-over-HTTPS (DoH) available by default gradually for Firefox users in the US, Google announced its intention to test DoH in Chrome 78, due for beta release in the next two weeks.

DoH wraps domain-name queries in a secure, encrypted HTTPS connection to a DNS server, rather than firing off requests using bog-standard plain-text insecure DNS, thereby keeping queries inaccessible to eavesdroppers. It's one of several emerging internet protocols intended to close security and privacy gaps in online communications.

Google's experiment will involve checking whether Chrome 78 users' DNS provider is among six services selected for their readiness to test DoH – Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS and Quad9. And if so, Chrome will switch from standard DNS to DoH using the same service provider, at least for those lucky few in the experimental group.

Google is thus avoiding one of the concerns raised by Mozilla's approach, forcing Firefox users to change their chosen DNS provider for Cloudflare. In so doing, the Chocolate Factory ensures that malware screening and parental filtering capabilities offered by DNS providers will continue to function, if possible under DoH.

"This experiment will be done in collaboration with DNS providers who already support DoH, with the goal of improving our mutual users’ security and privacy by upgrading them to the DoH version of their current DNS service," explained Kenji Baheux, Chrome product manager, in a blog post. "With our approach, the DNS service used will not change, only the protocol will."

Baheux says Google's goal is to validate its DoH implementation in Chrome and to measure the protocol's effect on performance.

The experiment will involve a small percentage of Chrome users across supported platforms except for Linux and iOS. And there will be a way to opt-out: disabling the flag setting at chrome://flags/#dns-over-https. Most managed Chrome deployments for enterprise customers will be excluded from the test; Google plans to publish information about DoH for network admins on its Enterprise Blog shortly.

For those using Android 9 or greater who have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH and, if that fails, fallback to the DoT setting.


Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month


DoH and DoT are separate standards for encrypting DNS queries. DoH relies on TLS and HTTP/2 and uses the standard HTTPS port 443 for traffic; DoT relies on TCP as the connection protocol, in conjunction with TLS encryption and authentication on its own port, 853, making it more visible on a network level and easier to block.

In a Twitter post on Monday, Paul Vixie, CEO of Farsight Security and a contributor to the design of the DNS protocol, warned that DoH limits the autonomy of network administrators.

"DoT is not the same as DoH," he wrote. "Both provide TLS-level privacy. But DoT can be blocked in network firewalls. DoH is 'designed to prevent on-path interference in DNS operations' (introduction, RFC 8484). DoT is a universal good. DoH will be a net harm no matter what good it may do."

Earlier this year, he argued that DoH is part of a campaign by US tech companies to control the DNS resolution path, at the expense of those who would prefer to set their rules for their own networks. "There's been a war for control of the DNS resolution path, since at least the SiteFinder debacle and perhaps earlier," he said. 'This is the latest battle in that long war. Big American tech companies want your DNS traffic, any way they can get it." ®

Broader topics

Other stories you might like

  • New audio server Pipewire coming to next version of Ubuntu
    What does that mean? Better latency and a replacement for PulseAudio

    The next release of Ubuntu, version 22.10 and codenamed Kinetic Kudu, will switch audio servers to the relatively new PipeWire.

    Don't panic. As J M Barrie said: "All of this has happened before, and it will all happen again." Fedora switched to PipeWire in version 34, over a year ago now. Users who aren't pro-level creators or editors of sound and music on Ubuntu may not notice the planned change.

    Currently, most editions of Ubuntu use the PulseAudio server, which it adopted in version 8.04 Hardy Heron, the company's second LTS release. (The Ubuntu Studio edition uses JACK instead.) Fedora 8 also switched to PulseAudio. Before PulseAudio became the standard, many distros used ESD, the Enlightened Sound Daemon, which came out of the Enlightenment project, best known for its desktop.

    Continue reading
  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading

Biting the hand that feeds IT © 1998–2022