How to enable DNS over HTTPS in Chrome

How-to instructions: https://judge.sh/how-to-enable-dns-over-https-on-chrome-right-now/

Here’s a blog post I write about a week ago, Chrome currently supports a command line flag for enabling DNS over HTTPS functionality.

The only warning is that Chrome may change/modify the command line argument needed in the future, so check 1.1.1.1/help periodically to make sure DoH is still working.

You may notice this really only focuses on Windows. Currently, I am not aware of a way to persist this command line argument on macOS since the official guide only mentions opening a terminal, which means you can’t have DoH by just clicking Chrome from the dock.

7 Likes

Little update via this:

Tentative timeline
We are aiming for an experiment in Chrome 78 (branch cut: Sept 5th; estimated Stable: Oct 22nd) followed by a launch if everything goes well.

Chrome 78 (Branch cut likely will mean a Chrome Canary release) will have a real chrome://flags option for DoH support so you will be able to avoid the command line switch you currently need to do the above.

Once again, see the first link above for the instructions to enable it before v78.

3 Likes

Thanks for your post @Judge. :+1:
To automate this process, I used Alfred - Productivity App for macOS Workflow.
It runs this command by triggering ch keywork:

nohup /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST" & disown >/tmp/chrome_doh_nohup_$(date +%F); sleep 3; exit;

Just import this file to Alfred Workflow and run ch: https://cloudup.com/files/ilT3T23tQps/download

You can check this video: https://cloudup.com/ia5PnU4B4bx

I guess Google Chrome doesn’t support ESNI at the moment, am I correct?

Connection Information:

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiSEVMIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

1 Like

@aminkhoshnood, wouldnt it be easier to switch to Firefox?

Just sayin’ :smile:

1 Like

Absolutely, for daily usage I prefer Firefox (+ cloudflared on macOS ), just I saw there is not enough document regarding this topic :sweat_smile:
I will do anything to see DoH and ESNI activated on all platforms and browsers, it will help people with “censorship regimes” a lot.

1 Like
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJIS0ciLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

I still got No in Doh; using the above alfred workflow - chrome v78

Old text of post I'm not at liberty to go digging through the chromium source to find out why, but it looks like the flags don't work on Canary - currently it only works on stable (v76).

To confirm you launched with the flags, go to chrome://version and make sure “command line” contains the flags (--enable-features=...)

image

If possible, in Canary, could you take a screenshot of chrome://flags after searching for “DNS”? My chrome doesn’t show anything about “Secure DNS lookups”, yet this post shows it should be available in v78.

see below post

1 Like

in chrome://flags, there’s nothing except this when search for dns

Anonymize local IPs exposed by WebRTC.
Conceal local IP addresses with mDNS hostnames. – Mac, Windows, Linux, Chrome OS

#enable-webrtc-hide-local-ips-with-mdns

in chrome://version, the command line already contains enable-features

image

1 Like

Looks like they rolled out changes to how DoH is handled in “managed” browsers (when any policy whatsoever is present).

If you see “managed by your organization” in the Kebab menu (tripple dot)

That means Chrome, in order to prevent rollout issues breaking DNS filters, won’t show the “Secure DNS lookups” in chrome://flags/#dns-over-https.

I had a bogus policy set up from some stuff I was trying, so it was hidden from me. Removing it shows:


Now, as to which DNS over HTTPS server it chooses is based on the existing DNS servers your DHCP is sending (or the servers configured in windows/macos, not sure).

See this commit:

It uses the DNS set up to choose the DNS server it should upgrade to. If your Router is broadcasting 1^4 IPs as the DNS endpoint to use, Chrome should use 1.1.1.1’s DoH server and https://1.1.1.1/help should show DOH enabled.

1 Like

@tuananh as to your setup, let me know if it’s a managed browser; if it’s not, there might be something else gating the visibility of the feature flag.

1 Like

it’s managed indeed.

do you know where that setting is. this is just my personal google apps where i’m the admin.

1 Like

chrome://policy will show you any policies set up, disabling those might disable the managed state. Otherwise i would guess disabling MDM for your domain would no longer have it show as managed (this might require sign out/in though, unsure) https://support.google.com/a/answer/7581380?hl=en

1 Like

my policies looks like this

{
   "chromeMetadata": {
      "OS": "macOS Version 10.14.6 (Build 18G87)",
      "application": "Google Chrome",
      "revision": "40bede06f8a7a191fc28dbebdad52d6917cec4fe-refs/branch-heads/[email protected]{#8}",
      "version": "78.0.3902.4 (Official Build) dev (64-bit)"
   },
   "chromePolicies": {
      "MaxInvalidationFetchDelay": {
         "level": "mandatory",
         "scope": "user",
         "source": "cloud",
         "value": 10000
      }
   },
   "extensionPolicies": {
      "cjpalhdlnbpafiamejdnhcphjbkeiagm": {

      },
      "ghbmnnjooekpmoecnnnilnnbdlolhkhi": {

      }
   }
}

i disable MDM but it’s still not available after sign out / in

1 Like

Ya, you’re going to have to remove that one policy, but I can’t find anything related to removing them on Mac (It’s easy on windows since it’s all Reg keys). Hope you can figure it out.

1 Like