[FYI] Google / Chrome: "Experimenting with same-provider DNS-over-HTTPS upgrade"

mibere · September 11, 2019, 8:44am

For your information

As part of our long standing commitment to making the web safer to use, we will be conducting an experiment to validate our implementation of DNS-over-HTTPS (aka DoH) in Chrome 78.
[...]
Our experiment will run on all supported platforms (with the exception of Linux and iOS) for a fraction of Chrome users. On Android 9 and above, if the user has specified a DNS-over-TLS provider in the private DNS settings, Chrome may use the associated DoH provider, and will fallback to the system private DNS upon error.

Read full report

dosch · September 11, 2019, 9:44am

I found that Chrome is now pushing ahead on this as well and that it becomes the default on FF this month.

Is there any more information available on what the impact on pihole users might be?

drewski · September 11, 2019, 2:46pm

I'm starting to wonder if they are doing this to get statistics.

pidohole · September 11, 2019, 4:37pm

It depends on how Chrome determines the system's dns. If it simply looks up the OS's dns, then Chrome will not have a corresponding DoH server for your private pihole. But if it does a more exhaustive lookup, such as those on dns leak tests, and the upstream dns of your pihole has a DoH equivalent, then it may the DoH server directly.

DL6ER · September 11, 2019, 5:16pm

This is all very speculative.

They could equally well just enforce their own (Google's) DoH server, why even bother trying to find a (reliably working!) local server?...

drewski · September 11, 2019, 5:22pm

Very true I shall hush now.

This would back my theory a little.

pidohole · September 11, 2019, 5:27pm

It's not speculative. If the current dns has a corresponding DoH server then Chrome will automatically switch to DoH. How does Chrome determine if there's DoH server available? It's has a list of supported DoH servers:

Cleanbrowsing
Cloudflare
DNS.SB
Google
OpenDNS
Quad9

This is straight from the horse mouth. DNS over HTTPS (aka DoH) - The Chromium Projects

DL6ER · September 11, 2019, 5:30pm

This is in contrast with the quoted blog entry stating:

By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same.

My ISP does not offer a DoH equivalent. However, in the future, they might want to enforce the "best" for their users:

As part of our long standing commitment to making the web safer to use [...]

But, yes, again speculations.

pidohole · September 11, 2019, 6:17pm

Seems pretty clear to me. If you using one of the listed dns, then Chrome will use the DoH. If it's not on the list then Chrome won't make any changes.