the Chromium logo

The Chromium Projects

DNS over HTTPS (aka DoH)

Motivation

When you navigate to a website, your browser first needs to determine which server is responsible for delivering said website, a step known as DNS resolution. With DNS over HTTPS, all DNS resolutions occur over an encrypted channel, helping to further safeguard user security and privacy.

Launches

See these blog posts to learn more about DoH in Chrome: Desktop (exception: Linux), Android.

DoH Providers

The latest version of DoH providers recognized by Chrome (canary) can be found here (the format should be self explanatory).

Note that users can configure any DoH providers of their choosing, the providers included in Chrome are for the auto-upgrade mechanism and for a list of popular/relevant options as a convenience (see the requirements and process).

Chromium users (or administrators of managed deployments) can specify a custom configuration as a DoH URI template. If the template includes a dns variable, Chromium will issue DoH requests using the GET HTTP method; otherwise it will use POST. Users can also enter multiple templates separated by whitespace, improving reliability if one DoH server fails. Starting in M103, a JSON configuration format is supported for advanced uses and debugging of the Enhanced Bootstrap feature:

{
    "servers": [{
        "template": "https://dnsserver.example.net/dns-query{?dns}",
        "endpoints": [{
            "ips": ["192.0.2.1", "2001:db8::1"]
        }]
    }]
}

For technical questions, please send an email to net-dev@ with the [DoH] prefix in the subject line.

FAQ

Q: Do you plan to support a canary domain similar to Mozilla's use-application-dns.net?

A: We have no plans to support this approach. We believe that our deployment model is significantly different from Mozilla's, and as a result canary domains won't be needed. In particular, our deployment model is designed to preserve the current user experience, i.e. auto-upgrading to the current DNS provider's DoH server which offers the same features.

Q: How will Chrome's auto-upgrade approach work with Split Horizon?

A: Chrome's auto-upgrade approach does not change the DNS provider, and is designed to preserve the same user experience. Split Horizon setups should continue to work as is. Furthermore, managed deployments should be automatically opted-out, and administrators can use policies to control the feature.