Chrome devs tell world that DNS over HTTPS won't open the floodgates of hell

Chrome devs have had a little rant about "misinformation", repeating that DNS-over-HTTPS (DoH) will be supported but won't necessarily be automatically used in upcoming builds of the browser.

In a blog post published last night, Google's Chrome product manager insisted it was not going to "force users to change their DNS provider" after building the technology into Chrome 78, released last week.

The blurb comes as part of Google's effort to convince hostile police agencies and legislators around the world that DNS-over-HTTPS (DoH) won't result in ordinary people's internet usage being completely shielded from the ability of state agencies and ISPs to monitor and police them – the snoops will just have to work harder to eavesdrop on folks. In contrast, Mozilla, maker of Firefox, has vowed to press on and redirect users' DNS queries to its preferred host, Cloudflare, if it is so enabled.

Google said last night that Chrome's DoH feature will operate by checking whether the user's DNS provider – typically their ISP – is on a Google list of participating DoH providers. This, so far, small list includes Google's own DNS service, OpenDNS, Cloudflare, and a few others. If the netizen's provider is on the list, the query is routed to that DoH server, and if not, then their DNS queries continue over an unencrypted connection, just as they do today.

"We are optimistic about the opportunities DoH offers for improving user privacy and security, but we also understand the importance of DNS and that there could be implementation concerns we haven't foreseen," simpered the Chocolate Factory in its blog post. It might as well have said: "Please, regulators, don't ban or bugger about with this."

It added: "We’re taking an incremental approach with this experiment, and our current plan is to enable DoH support for just 1% of our users, provided that they are already using a DoH compliant DNS provider. This will allow Google and DoH providers to test the performance and reliability of DoH. We’ll also monitor feedback from our users and from other stakeholders, including ISPs."

In addition, to keep corporate admins sweet and not allow enterprise end-users to bypass carefully honed corporate web access policies, Google added: "Most managed Chrome deployments such as schools and enterprises are excluded from the experiment by default. We also offer policies for administrators to control the feature."

Paul Vixie, Farsight Security CEO and a contributor to the design of the DNS protocol, who last month warned DoH could limit network admins' autonomy, opined on Twitter last night that Mozilla should "do DoH in Firefox the way Google is doing it in Chrome".

DNS lookups essentially translate the domain name you type into your browser – say, theregister.com – into a machine-readable format so internet servers can fetch you your IT news and daily fix of cat videos. At the moment those queries are unencrypted, and while this makes them theoretically vulnerable to eavesdropping, filtering, and tampering, in practice the world keeps turning without too many problems.

Countries such as the UK place great store on surveilling users' DNS queries. In the context of Google and Mozilla's DoH proposals, the most useful tool available to state agencies is the ability to order domestic DNS server operators to sinkhole certain results, such as those leading to child abuse material. This is how the Internet Watch Foundation's blacklist operates.

To head off the UK's notoriously technophobic civil service and government ministers, Mozilla agreed not to make DoH a default option for British users – though a few mouse clicks is all it takes to turn it on. Americans will eventually default to sending all their DNS queries to Cloudflare, however.

In addition to preventing users from accessing content that upsets local authorities, ISPs also use their own DNS servers to implement things like parental controls, antivirus and general online safety, helping keep users away from compromised websites. This is a useful thing at a time when increasingly large proportions of ISPs' userbases have no idea about basic online security precautions and don't really care enough to learn about them. ®