back to article Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT

Google released Chrome 83 on Tuesday after skipping version 82 entirely due to coronavirus-related challenges, bringing with it security for DNS queries, a revised extension interface that developers dislike, and a few other features. The latest iteration of Google's browser implements DNS-over-HTTPS (DoH), a way to prevent …

  1. tip pc Silver badge

    Can no longer Easily see what extensions are installed

    “ Chrome no longer pins extensions to the toolbar by default”

    I assume extensions can’t be silently installed etc etc, what if I use someone else’s pc briefly, do I have to check their extensions list before I use their browser?

    Having an obvious place for running extensions to show by default looks like an obvious safety thing to do.

    1. LovesTha

      Re: Can no longer Easily see what extensions are installed

      Was the requirement to unpin an extension really the thing stopping people from installing malicious plugins on other people's computers?

    2. TG2.2

      Re: Can no longer Easily see what extensions are installed

      The better option would be a quick link to plugins/extensions, vs having to grab the 3 bars -> More Tools -> Extensions.

      Every browser has this issue, quick access to toolbars, but the counter to these buttons is that there a sh*t ton of them sometimes, which makes it harder to review a URL at a glance when the buttons shrink the bar too far.

      Having a bookmarks bar and Add-ons / Extensions bar would also be a good choice ..

      but of course this is a mega corporation and despite user choice, mega corporations know best.. right? (insert eye roll here)

      1. Anonymous Coward
        Anonymous Coward

        Re: Can no longer Easily see what extensions are installed

        “Every browser has this issue“

        Erm, no. Never heard of one called Firefox?

    3. TheMeerkat

      Re: Can no longer Easily see what extensions are installed

      If you are using someone else’s computer, the extensions is the least of your worry. You should never assume there is any privacy or security if you don’t control your computer fully.

  2. tip pc Silver badge
    Big Brother

    DoH

    Will chrome tell me I’m using DoH or will it silently work in the background.

    What about my local dns filtering, will it bypass my pi-hole in favour of its own DoH, maybe not today but what about in the future if my isp decides to do DoH?

    I’ve blocked all port 53 traffic out and in and have a DoH proxy running internally, if chrome decide to silently use DoH in addition to my OS’s DNS I will never know, unless I now also use a proxy and inspect, TLS decrypt - inspect - encrypt, everything. With my tin foil hat I can see how that benefits state actors.

    1. chris 143

      Re: DoH

      The way you'll know is all the adverts start loading again.

      1. Stuart 22

        Re: DoH

        I converted to Vivaldi long ago - so when I reverted to Chrome/Chromium on new Linux/Android devices I was shocked to see adverts re-appearing despite having a pi-holed network. It was sneakily checking 8.8.8.8

        Result - Vivaldi quickly installed alongside our old friend Firebird - in case Vivaldi becomes similary 'infected'. The claim the Google is trying to enforce it on me for my own good is a little suspect methinks.

        This is a good move to lose the love of Chrome/Chromium. They thought that as the No1 browser it is invincible. Will hubris (and bloat) rather than ad-blockers be their eventual nemesis?

        1. mmccul

          Re: DoH

          Just checked current vivaldi (vivaldi://flags) and it is hidden, but doable to ensure the DoH protocol is disabled, at least according to options. Without something like burpsuite, hard to know if it is actually honored (and I'm not yet ready to waste a demo on just this test.)

    2. lkm

      Re: DoH

      Nope, Chrome will only upgrade your DNS if your current DNS provider supports DoH. I.e. if you are using 8.8.8.8 currently, it will use DoH to talk to 8.8.8.8. Nothing will change if you have something custom setup. See https://www.chromium.org/developers/dns-over-https for the list of supported DoH providers - which is really small still.

      1. Yet Another Anonymous coward Silver badge

        Re: DoH

        You can then configure pi-hole to do doh so you still get ad blocking without your ISP selling all your site visits

    3. Cave-Homme

      Re: DoH

      Excuse my ignorance but what’s blocking port 53 all about?

  3. djvrs

    DoH

    Can anyone seen a 'doh' coming when it goes wrong?

    1. Stubbly Dude

      Re: DoH

      I can;t read any of this without going doh! all the time!

  4. Anonymous Coward
    Anonymous Coward

    DoH

    So we already deploy client-side certificates for our Sophos XG firewalls so we can do HTTPS/SSL inspection and decryption anyway... will this include DoH traffic?

    1. Toe Knee

      Re: DoH

      Probably. DoH requests are HTTPS, so they’re easy to pick apart by looking at the requests (if you have the certs).

    2. Anonymous Coward
      Anonymous Coward

      Re: DoH

      You'd probably be using an internal DNS in an organisation anyway, so that you can use internal domains. I'm not sure it therefore makes any difference if set up correctly.

    3. big_D Silver badge

      Re: DoH

      I have set up rules to block DoH at the firewall. The browsers and smartphones just drop back to using my internal DNS server (DNS over TLS with DNSSEC to Quad9). The internal DNS server blacklists around 2.5 million sites (most of them tracking and known malware flingers). However it will be a moving target as more and more DoH servers come on line.

      I worked out that DoH was being used on my tablet when it suddenly started showing Facebook in the new tab list - I had blocked over 2,500 Facebook domains in DNS. I quickly set up additional rules to block DoH to known providers.

      1. tip pc Silver badge

        Re: DoH

        good luck with that whack a mole.

        you'll need to start proxying everything and blocking at the proxy.

      2. Qumefox

        Re: DoH

        The thing about DoH is that it can't be (easily) blocked though. Without decrypting and inspecting every packet (which, if this was easy, https would be pointless) , it all just looks like https traffic. This is why network admins don't like it and would prefer DoL, which is easily blockable.

        I guess you could block 80 and 443 to the IP of known DNS resolvers, however that would be a buttload of manual firewall rule entries, and you can't just block those ports globally without breaking the entire internet for yourself.

        1. big_D Silver badge

          Re: DoH

          On my firewall, it is 1 rule, but with a group of IP addresses. At the moment, it is a relatively small list. The firewall can also act as a DoH provider, using my main DNS server as its source.

    4. Dourscot

      Re: DoH

      Chrome allows you to set enterprise policies in managed mode.

  5. Jason Bloomberg Silver badge
    Coat

    Nanny statism strikes again

    "Chrome will disable DoH in managed environments that declare relevant enterprise policies"

    Why can't it just be a checkbox which anyone can turn on or off as best suits them?

    The one with the "do as we say" motivational poster in the pocket ->

    1. Yet Another Anonymous coward Silver badge

      Re: Nanny statism strikes again

      Because they want it on for everyone so they are the only ones who can sell your data to advertisers.

      But they don't want to be banned in the financial industry that is required to check your traders aren't logging into libor-rigging.org from their work machines

      1. Cave-Homme

        Re: Nanny statism strikes again

        Do smart people and organizations still use Google Chrome, or anything Google for that matter? Mine does, but it’ll all be gone by the end of the month.

    2. Roland6 Silver badge

      Re: Nanny statism strikes again

      >"Chrome will disable DoH in managed environments that declare relevant enterprise policies"

      And has any one found a reference that explains just what exactly these policies are - a quick Google fails to return anything.

      Personally, the out-of-the-box action (for Windows) should be to simply detect active domain membership and network type (Public/Work) and play nicely with the Domain provided DNS server. Obviously, the user is free - until Chrome Group Policy settings prevent it - to change the settings for themselves.

  6. Pascal Monett Silver badge
    Windows

    "We understand this concern"

    And we don't give a flying fuck about it.

    Typical behavior these days. We want it this way, so you can wave goodbye to every habit you have because this is how we roll.

    I absolutely hate web developers that believe they have the right change people's habits. Once upon a time, before the Internet was a thing, Microsoft had put out a document where it set down the rules for making a proper UI. Rules that it shat upon liberally when it created its PlaySkool interface called Metro, but I digress.

    I really would like to get my hands on that document. I remember reading it and thinking to myself : "this is very sensible". Yes, I know, a Microsoft document about UI that was sensible. What can I say ? It was before Y2K.

    Things have changed since.

    Get off my lawn.

    1. Jamie Jones Silver badge

      Re: "We understand this concern"

      Remember when the "settings" page was actually useful?

      And now chrome doesn't let me manually edit urls in the url bar (which is how i like to roll) unless I jump through hoops each time... No option to revert it..

      Yes, completrly fed up of software writers in general dumbing everything down against our will.

      1. Anonymous Coward
        Anonymous Coward

        Re: "We understand this concern"

        Why can't you edit URLs? Works fine for me.

        1. Jamie Jones Silver badge

          Re: "We understand this concern"

          It disrupts the flow by making you have to click a pencil icon each time:

          https://android.gadgethacks.com/how-to/edit-url-with-chromes-new-address-bar-android-0207043/

          And: https://www.reddit.com/r/chrome/comments/dp2a76/editing_url_in_new_version_of_chrome_previous/../ looks like I have a fix for my rooted boxes, at least.

          1. Anonymous Coward
            Anonymous Coward

            Re: "We understand this concern"

            Ah, right so this is Chrome on Android not just Chrome.

            However I guess having to click one icon to edit isn't a major deal when most people will probably be clicking the bar to do a new search or type a new URL.

            1. Jamie Jones Silver badge

              Re: "We understand this concern"

              Oh, didn't realise it was just android.

              The point is, there was originally an option to revert to previous behaviour.... Now they've removed it.

              I agree most people would use it that way; I'm ok with them changing the default. I'm not ok that they *had* an opt out option, and then removed it.

  7. BenDwire
    Holmes

    Power grab

    If DoH catches on as anticipated, then the potential for serving targetted ads gets swept away from carriers and ISPs, and over to the Chocolate Factory. I suspect that any improved privacy for users is just a side effect.

    Oh, your DNS isn't DoH capable? Let me check 8.8.8.8 to "protect you"

    1. DemeterLast

      Re: Power grab

      Exactly. Firefox started using Cloudflare's DoH by default and suddenly people inside my network couldn't see internal Web servers. Oh, and Firefox's "opt-out" dialog is basically "Do you want to be secure, or do you want to douse yourself in kerosene and light off fireworks like a moron?"

      No, I am not going to run DoH on my internal network, plain old NSD over UDP is all I want to use. No, I do not want Cloudflare collecting DNS queries from my users.

      I'm all for secure by default, but I am not for making a handful of corporations the de facto backbone of the Internet.

      1. katrinab Silver badge
        Happy

        Re: Power grab

        My setup is:

        DHCP server gives the clients the Windows Domain Controllers as the DNS servers.

        The Domain Controllers have a pair of pi-holes as the upstream DNS servers

        The Pi-holes have Cloudflare DOH as their upstream servers.

        So, if it is an internal resource, the domain controllers will return the local IP address

        If it is an advertising site, the pi-hole will return a block page

        If it is anything else, Cloudflare DOH will return the result.

        I updated Chrome to v83. Locally hosted websites still work, so presumably it doesn't think 192.168.0.2 & 192.168.0.3 are supported DNS services.

        1. DoctorPaul

          Re: Power grab

          "Pair of pi-holes" - absolutely!

          When I started with a single pi-hole, I would lose DNS after a few days - something seems to lock up a pi-hole at some point, which took out DNS completely.

          With a pair of them, I can see from the admin screens that one does most of the work for a number of days, then things flop over to the other one. Then back again and so on. Is this a common issue for other pi-holers?

          Are they reliable now? Let's just say that I recently realised that I hadn't done a remote connection and update on mine for over a year - "it just works".

          1. Anomalous Cowturd
            Thumb Up

            Re: Power grab

            Re: Are they reliable now?

            Just checked mine, and it was last restarted on May 12th, when I updated it to the latest version.

            Prior to that, it had been happily and faultlessly running for months. Had to reinstall about a year ago, when a cheap SD card failed. No problems since. Just have to remember to SSH into it occasionally to run "pihole -up"

            1. katrinab Silver badge
              Thumb Up

              Re: Power grab

              crontab -e

              e

              30 3 * * * pinhole -up >/dev/null 2>&1

              [esc]

              :wq

              Then you don't need to remember to update it

  8. alain williams Silver badge

    Who do you want to hide from ?

    DoH needs a server to answer DNS queries - that server gets to know a lot about you.

    Use normal DNS and your ISP/company can see what you are trying to resolve. Even if you do not use its DNS servers it can sniff the packets as they go by.

    If you live in a repressive regime (eg Egypt, China, ...) they can make your ISP hand over your DNS history or change stuff on the fly; so DoH might be good, although they can still see where your IP packets go to.

    What about the DoH provider - what does it gain ? Knowledge of all the sites that you visit - good meat to the advertising machine for Google & pals - even when those sites do not run google analytics (or you have blocked the javascript). These DoH providers are subject to the Patriot Act or local equivalent - so, for some, the security is a fig leaf.

    Oh - just because you do not think that your regime is repressive does not mean that your government is not snooping on you. DNS over TOR might be an interesting idea.

    If you do run DoH then you might be visited by shady men and told to change your browser options - packet sniffing via your ISP will make it obvious if you have taken their 'advice'. So: will you make yourself a target for future visits ?

    1. tip pc Silver badge

      Re: Who do you want to hide from ?

      some CDN's will serve any site they CDN for on any of the IP's they resolve on.

      As an example, the reg & the pirate are on cloudflare. internally resolve the pirate to the IP of the reg and you can visit the pirate on https without your isp blocking.

    2. Doug_S

      Re: Who do you want to hide from ?

      I don't see how they could target people for using DoH when it is the default in two widely used browsers, including now the most widely used.

      But if, hypothetically, they did, Google could have Chrome make some random lookups to the top 1000 sites using regular DNS, while it still uses DoH, as an option for people living under repressive regimes.

      1. Roland6 Silver badge

        Re: Who do you want to hide from ?

        > DoH when it is the default in two widely used browsers, including now the most widely used.

        Given New Edge is Chromium-based, expect MS to join the club later this year (or is it there already? - as not specifically looked for it).

    3. Christian Berger

      Well the idea is...

      that there may be countries somewhere, where your ISP is less trustworthy than Cloudflare. Of course this doesn't apply to Europe where your ISP could easily get shut down if they were caught exploiting your DNS traffic, whereas Cloudflare only makes a non-enforcable "promise" that they won't mess with your queries.

  9. Peter Galbavy

    Well, just updated and the flag is still there to turn it off - not checked if it's a null op though

  10. Dourscot

    Except Secure DNS doesn't appear as a flag on some UK downloads of Chrome, including the test beta (despite setting manual name server on the device and router, version 83.x),.

    Interestingly, it works perfectly in the otherwise identical Edge browser. C'mon Google.

    1. Cave-Homme

      I wouldn’t call Edge Chrome identical to Google Chrome, there are several key differences especially when it comes to tracking options.

  11. tekHedd

    So much for my router-level blocks

    Because my older DD-WRT router only supports classic DNS and not the new protocol, this magically disables all of my ad- and malware-domain blocks until I hack hidden settings in each browser. Which I believe is its primary purpose.

    Any privacy- or speech-enhancing purpose is secondary and IMO becomes a technical problem to thwart at the edge networking level if you want to ... well anyway we all know the boring arguments.

    And, of course, as it is an anti-censorship tool, it is a real PITA to redirect these requests to my own DoH servers. I mean, either it can't be done, in which case the ad servers win, or it can be done, in which case it is a COMPLETE waste of effort and why did we do it? The ad servers win.

  12. Justin Clements

    As a system administrator of 25 years

    1. Do I have to do anything?

    |

    |----> Yes. ----> Ain't happening.

    |

    |----> No. ---> Good. As you were.

    2. There is no 2. I'm a system administrator, I have finely tuned nerves and if you're a mouth breather there's a good chance you're on them already.

    1. Anonymous Coward
      Anonymous Coward

      Re: As a system administrator of 25 years

      Too many sysadmins have Asparagus Syndrome, in fact, it seems to be a pre-requisite.

  13. Blacklight
    Stop

    Nope

    I have a setup I like, that does what I want.

    I don't want errant things burrowing holes to get DNS via other methods.

    Go away.

  14. Elledan

    DoH is still stupid

    The thing is that DoH doesn't add anything that DoT doesn't already do, while also making network security (as noted) impossible. How do you distinguish some spyware sneaking its HTTPS DNS queries along with other HTTPS traffic, after all?

    DoH also doesn't solve the most important issues, that of validating whether a DNS record one obtained from the DNS server is genuine (requires DNSSEC), nor does it keep the details of your DNS query get shouted across the entire DNS network. This latter point requires the implementation of QNAME minimisation, also not a part of DoH.

    At best, DoH is a red herring for internet security. At worst it's a trojan that enables the destruction of one's network and system security and privacy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020