DNS over HTTPS: Google hits back at 'misinformation and confusion' over its plans

Google sets the record straight on its plans to encrypt DNS requests from Chrome over HTTPS.

How Google's IT systems helped detect Levandowski's alleged illegal downloads A new criminal indictment from the Department of Justice charges Anthony Levandowski with 33 counts of theft and attempted theft of trade secrets.

Google's recent move to enable DNS over HTTPS in Chrome has been a controversial one. Intended to improve user privacy, it's been met with opposition from some ISPs and network security experts. 

For a deep dive into all the issues at stake, it's worth reading this story by ZDNet's Catalin Cimpanu from September after Google first experimented with DNS over HTTPS or DoH.  

DNS, often described as the 'address book' of the internet, allows users to type in a site's name in the browser, which their DNS provider converts into the site's IP address that the browser then uses to visit the correct site. Google is a DNS provider, as are many ISPs, and internet infrastructure provides, such as Cloudflare. 

SEE: 10 tips for new cybersecurity pros (free PDF)

DoH, in short, encrypts traffic between a user's browser and their DNS provider with the intent of thwarting snoops on the same network. It won't however stop an ISP tracking users because ISPs have access to more data for this purpose other than a user's DNS requests. And DoH has been exploited by cybercriminals to evade detection by local DNS servers and DNS-based software that system admins use to filter and monitor local traffic, and block users from visiting malware domains. 

In any case, Google this week decided to address what it says are "misconceptions" about its plans in response to claims by US ISP Comcast that Google is trying to grab all DNS data for itself. 

As reported by Motherboard last week, Comcast had been telling US government officials that Google's plan with DoH was to force Chrome users to exclusively use Google's DNS service, with the effect of centralizing most of the world's DNS data with Google. 

A Comcast presentation on the matter said Google's "unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and other areas."  

Google says this is wrong. "Because we believe in user choice and user control, we have no plans to force users to change their DNS provider," wrote Kenji Baheux, Chrome product manager

Rather, Chrome will be capable of offering DoH connections if a user's DNS provider of choice offers it, he said. 

Chrome will check if the users' DNS provider is on a its list of participating DoH providers, which currently include Cleanbrowsing, Cloudflare, Comcast, DNS.SB, Google, OpenDNS and Quad9. This list could expand in future experiments. 

"If the DNS provider is not on the list, Chrome won't enable DoH and will continue to operate as it does today. As DoH adoption increases, we expect to see the number of DoH-enabled DNS providers grow," noted Baheux. 

Mozilla is also implementing DoH in Firefox, albeit differently. Mozilla has also opted not to enable DoH by default for UK users because of pressure from the UK government. 

Another misunderstanding, according to Baheux, is that Chrome's DoH will prevent ISPs offering family-safe content filtering.

SEE: Google gets tougher on HTTPS with ban on mixed content 

Paul Vixie, a pioneer of DNS, who has called DoH a "cluster duck for internet security", this week applauded Google's approach to DoH, particularly for how it's enabling network admins to implement security controls. He also reckons Mozilla and Cloudflare should follow Google's lead. 

"it's not often in the modern internet era that Google is the hero. but when it comes to DoH they are doing two things right, that everyone else should emulate," he wrote on Twitter. "first, Chrome is only speaking DoH to servers the user has already selected," he said, and "second, Google is only serving DoH from well known and stable addresses, so that operators of private managed networks (like my home and business) can block them in our firewalls to prevent bypass of our own DNS servers, which are control points for cyber security. TY g00g!"

He added: "For the record, i would like @mozilla mozilla to do DoH in firefox the way google is doing it in chrome; and i would like @cloudflare to announce a set of blockable IP addresses for their DoH servers, as google is doing. please steer away from the rule of the strongest!"