Thanks to the expansion of HTTPS, the secure version of the original HTTP protocol, most internet traffic is encrypted today, improving your privacy and protecting your browsing data from the wary eyes of eavesdroppers. Major browsers like Google Chrome and Firefox warn you if you visit an unencrypted website.
But while progress has been great, not all of your internet traffic is encrypted. The domain name system (DNS), the protocol used to convert domain names (e.g., google.com) to IP addresses (e.g., 22.214.171.124), still remains in plain text, which can reveal much about your browsing habits.
The DNS-over-HTTPS (DoH) protocol, introduced in recent years, improves the privacy of your browsing experience by adding a layer of encryption to your DNS packets. Firefox led the charge, experimenting support for DNS-over-HTTPS since 2017. Google Chrome added experimental support for DoH in version 78. Google will enable it by default for 1 percent of Chrome users with the rollout of version 79 in December.
With Chrome being the go-to browser for more than 65 percent of users, the implementation of DoH can have a deep impact on browsing privacy. Here’s what you need to know about the privacy benefits—and limits—of DNS-over-HTTPS.
On the internet (as well as local, offline networks), each computer has an IP address, a sequence of four numbers (e.g., 126.96.36.199). When computers want to communicate with each other (such as browsing to a website), they must specify the IP address of the destination. But the human brain is not very good at remembering number sequences (imagine having to remember thousands of IP addresses).
That’s why network scientists created the DNS protocol, which allows you to use domain names (much easier for humans to remember) to refer to computers on a network. Whenever you type in the address of a website (say en.wikipedia.org), your computer sends a DNS request to your DNS resolver (usually your internet service provider). Your resolver, in turn, communicates with a series of DNS servers to find the IP address for the website or service you want to connect to.
Here’s where things get a bit ugly. The DNS request that you send is unencrypted. It contains both the domain you requested as well as a part of your own IP address. Anyone listening in on your internet traffic can log all the websites you browse to. This includes your internet service provider (ISP), the servers who route your request to DNS servers, the owner of the Wi-Fi network you’re using in your local coffee shop or library, government agencies, or anyone who is crafty enough to set up a network monitoring tool.
In some cases, malicious actors can intercept the request and return a phony IP address to redirect you to a malicious website.
How does DNS-over-HTTPS work?
The basic idea behind DoH is to add a layer of encryption to your DNS request to make its contents invisible to unwanted parties. When you use DNS-over-HTTPS, your browser encrypts your DNS requests and disguises them as HTTPS packages. It then sends them to a trusted DoH resolver, which does the rest of the legwork, sending out messages to DNS servers and resolving the address of the website you want to visit.
An eavesdropper monitoring your internet traffic won’t be able to trace your DNS traffic. Also, DoH servers take precautionary measures to avoid revealing your IP address to DNS servers that resolve the address.
How to enable DNS-over-HTTPS on Google Chrome
Google added support to DNS-over-HTTPS since version 78. It is still in the experimental phase, so enabling it is not that easy. To access experimental features, you must type “chrome://flags” in the address bar. This brings up Chrome’s experimental features.
Find the feature titled “Secure DNS lookups” and set it on “Enabled.” (You can use the search bar at the top of the page to find it quickly. Alternatively, you can type “chrome://flags#dns-over-https” in the address bar to go straight to Chrome’s DoH setting)
After enabling the feature, you must relaunch Google Chrome for the DNS-over-HTTPS feature to take effect.
How does DNS-over-HTTPS work on Google Chrome?
There’s a catch here. Switching on the DoH flag in Google Chrome is not enough to make your DNS requests private. Using DNS-over-HTTPS require two things:
- A DoH-enabled application (such as Google Chrome)
- A DoH server (aka DoH resolver)
There are now several trusted DoH resolvers, including Cloudflare (IP: 188.8.131.52) and Google (IP: 184.108.40.206). But it doesn’t mean your computer is using them.
By default, most computers use the default DNS resolver their ISP or network administrator provides. In case your resolver does not support DoH, enabling Google Chrome’s DoH flag will make no difference.
To see if DNS-over-HTTPS is truly enabled on your browser, go to Cloudflare’s security check page and click on the “Check My Browser” button. In case your DoH setting is working properly, you should see a green checkmark next to the Secure DNS column.
If your secure DNS column still has a red or orange icon after enabling Chrome’s DoH feature, try manually setting your DNS resolver to “220.127.116.11” or “18.104.22.168.” (You’ll find instructions for adjusting DNS settings in Windows 10 here and MacOS here.)
What are the privacy considerations of DNS-over-HTTPS?
While DNS-over-HTTPS enhances your browsing privacy in Google Chrome, it’s not a perfect solution. Here are a few things to consider:
DoH will not prevent ISP tracking: One of the main privacy concerns of internet users is their ISPs tracking their browsing habits and selling them to advertisers. Reading DNS requests is one of the main ways ISPs use to track your browsing. But even if they don’t have access to your DNS packets, they can know which websites you’re visiting because your HTTPS request will still go through them. While HTTPS encrypts request contents such as form data (username, password, addresses, phone numbers, etc.) as well as page details, it still reveals the domain of the website you’re visiting.
DoH encrypts precisely zero data that is not already present in unencrypted form. As it stands, using DoH only provides *additional* leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections still provide the rest. It is fake privacy in 2019.
— Bert Hubert 🇪🇺 (@PowerDNS_Bert) September 22, 2019
One consideration about this is the propagation of DoH to content delivery networks (CDNs). CDN local nodes usually host several websites on a single server, and they’ll be able to use a feature called “connection coalescing” to reveal less information about the domains you visit. But that hasn’t happened in full yet.
DoH might disrupt some security tools: Many endpoint security tools and smart firewalls use DNS requests to detect and prevent connections to malicious domains. DoH might disrupt the functionality of these tools.
DoH will not protect data in unencrypted websites. While encrypting the web has come a long way, there are still many websites that use the unencrypted HTTP protocol. These websites expose all your information to eavesdroppers and network gateways. Using DNS-over-HTTPS will not protect the data you exchange with these websites.
Nonetheless, DNS-over-HTTPS is a good privacy improvement for Google Chrome and other browsers, especially as using it will become relatively trivial in the future. If you want full privacy, consider using a virtual private network (VPN), which adds a layer of encryption to all your network traffic and even hides the domains you communicate with.