Google rolls out Secure DNS support in Chrome for Android
After having introduced Secure DNS in Chrome 83 for the desktop, Google announced this week that the roll out of the feature has started for mobile Chrome for the company's Android operating system.
As has been the case for the desktop rollout, Secure DNS will be rolled out to all Chrome installations over time.
Secure DNS, or DNS-over-HTTPS, is a new privacy and security features that has started to gain some traction in recent time. Web browsers like Firefox or Chrome, but also operating systems like Windows, support or will support the feature in the future.
Basically, what it does is encrypt DNS traffic to avoid tampering with the traffic or the recording of it. The implementation may differ but for Chrome and most Chromium browsers, it is the following:
- Chrome will not switch the default DNS provider but will use Secure DNS if it is supported.
- Options to disable and configure the feature manually are provided via in-browser preferences but also Enterprise policies.
Chrome built-in Secure DNS configuration
Select Menu > Settings > Privacy and Security to get started. The new "Use secure DNS" option is displayed on the page that opens, provided that the feature has reached your device already. The status of the feature is displayed on the page, but you need to tap on the option to configure it in the mobile browser.
Google Chrome displays two options on the "Use secure DNS" configuration page:
- Turn the feature on or off by toggling "Use secure DNS" at the top of the page. If you don't want to use it, toggle it to off. Chrome continues to use the default DNS provider but without use of DNS-over-HTTPS even if supported by the provider.
- Chrome offers options to continue using the default service provider, or a manual provider.
The first option is the default and it can mean that DNS-over-HTTPS is not used even if the setting is enabled; this is the case if the DNS provider does not support the feature.
Chrome lists five different Secure DNS providers that you may select by switching to "choose another provider". The five providers are Google (Public DNS), Cloudflare, Quad9, CleanBrowsing, and DNS.SB. An option to add a Secure DNS URL manually is also available.
Closing Words
While DNS-over-HTTPS support gets added to more and more browsers, none seems to report to the user if the feature is indeed working. You can check out our guide on finding out if DNS-over-HTTPS is working as advertised.
Now You: Do you plan to use Secure DNS / Dns-over-HTTPS?
The slider doesn’t work, it will not change. My browser is not managed so I don’t understand how to get it to slide.
“Chrome will not switch the default DNS provider but will use Secure DNS if it is supported.”
Proof that sometimes, Google can respect the users more than Mozilla. Thank you for not hijacking the DNS by default to a third-party of your choice. Please keep it like that.
Why only in Chrome? Why not system-wide?
\o/ I’m Henry the 8th I am, Henry the 8th I am I am.
I could have used Tor’s DNS lore,
But the story would be buried for sure!
Because Comcast is the man in the middle. At minimum, they can monitor/record browsing habits to create profiles and sell this information to 3rd parties. They can prioritize websites that pay a toll to be faster than other similar services. They could even purposely slow down websites of competing services of theirs. They’re lobbying against their cash revenue being taken away.
I thought that I would be something like this. Why be content with a lot of money when you can skimp of even more.
Absolutely! Because doH will enhance my privacy online.
I right now encrypts my DNS lookups and also will improve my online privacy and security.
I still do not understand why Comcast is lobbying against it?
Maybe you can explain it to me, Martin?
https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data
Things changed, they got in on the dns business:
https://www.ghacks.net/2020/06/26/comcast-is-the-first-isp-that-joins-firefoxs-trusted-recursive-resolver-program/
Obviously it was never about hiding your dns from your isp.
Neat way of breaking Pi-Hole by default and introducing yet another party to your traffic.
Chrome upgrades to DoH only if the default resolver indicates support for it.
This just means Pi-Hole should either block Chrome’s DoH feature detection (it’s done in plaintext) or introduce support for DoH and signal how to use DoH.
Thanks for the hint.