DNS-over-HTTPS (DoH) coming to Chrome and Firefox browsers

In a move to force mass adoption of DNS-over-HTTPS (DoH), Mozilla and Google are adding DoH to their browsers, and they plan to turn it on by default for all users.

Cloudflare’s 1.1.1.1 DNS service and Google’s Public DNS are marketed as a way to speed up and secure internet usage. If a user changes their DNS servers to Cloudflare’s 1.1.1.1 DNS servers or Google’s 8.8.8.8 DNS servers, it’s supposed to make their internet faster and safer.

Cloudflare DNS Servers
Cloudflare’s 1.1.1.1 DNS servers on macOS.

The safer part is due in part to its use of DNS-over-HTTPS (DoH). Cloudflare describes DoH as:

If you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://cloudflare.com, anyone listening to packets on the network knows you are attempting to visit cloudflare.com.

DoH encrypts the connection which keeps DNS queries private and secure. It’s something that everyone should consider using, but most people aren’t aware that they need it, and they don’t possess the skills to change their DNS servers.

Lack of interest and knowledge in 1.1.1.1's DNS service is what prompted Cloudflare to change its approach. Instead of trying to get people to change their DNS servers, they decided to encourage people to install its 1.1.1.1 app. Their selling point has been that it will make their internet faster, and there’s never a mention of DoH. It has been a clever campaign, but it still requires educating the market in order to get a significant adoption rate.

Cloudflare 1.1.1.1
Cloudflare says their 1.1.1.1 app can make your internet faster.

Making everyone use DoH by default

The only way to get mass adoption of DoH is to bake it into web browsers, and that’s what Mozilla Firefox and Google Chrome have decided to do.

Mozilla has partnered with Cloudflare to use their 1.1.1.1 DNS service with Firefox. Mozilla plans to gradually roll out DoH in the USA starting in late September. Then they will start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience.

Google has added DoH to Chrome, but it’s not on by default yet. The only way to use DoH in Chrome is to turn it on by using a command line flag. Catalin Cimpanu, a security reporter for ZDNet, has posted instructions on how to activate DoH in Chrome. However, Google has stated that they plan to turn DoH on for all users in the future.

The switch to DoH in browsers isn’t expected to be an easy one. There are concerns about conflicts with parental controls, enterprise configurations, and general DNS lookup failures. The rollout of DoH is expected to be slow, but eventual, for both Firefox and Chrome.