Followed by
Whitelisted DNS providers included
An important difference from Firefox's implementation of DoH, in which DoH is incrementally enabled by default
If desired, the user will be able to enable or disable DoH using the "chrome://flags/#dns-over-https" setting. Three operating modes are supported "secure", "automatic" and "off". In "secure" mode, hosts are determined only based on previously cached secure values ββ(obtained over a secure connection) and requests via DoH, fallback to regular DNS is not applied. In the "automatic" mode, if DoH and the secure cache are not available, data can be retrieved from the insecure cache and accessed through traditional DNS. In the "off" mode, the shared cache is first checked and if there is no data, the request is sent through the system DNS. The mode is set via
The experiment to enable DoH will be carried out on all platforms supported in Chrome, with the exception of Linux and iOS due to the non-triviality of parsing resolver settings and restricting access to DNS system settings. If, after enabling DoH, there are failures to send requests to the DoH server (for example, due to its blocking, network connectivity failure, or failure), the browser will automatically return the DNS system settings.
The purpose of the experiment is to finally test the implementation of DoH and to study the impact of applying DoH on performance. It should be noted that the actual DoH support was
Recall that DoH can be useful for preventing leaks of information about requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace VPN in the area of ββbypassing blocking implemented at the DPI level) or for organizing work in case it is impossible to directly access DNS servers (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
Source: opennet.ru