How to enable DNS-over-HTTPS (DoH) in Google Chrome

Terry Ganzi

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
SeriousHoax said:
Do you often get this error with ESNI enabled on some sites? For me this happens on MalwareTips and some other websites. I can visit the sites after clicking Try Again.
View attachment 224181
Click to expand...

Do you have adguard the desktop version on your pc if you have it then look no further that's the culprit, you will have to go in settings and change ev certificate settings, If you don't have it then there is where my help ends, because you said you are running windows defender and that does not do that, it's a certificate clash error.
 
  • Like
Reactions: Handsome Recluse and SeriousHoax
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,633
Terry Ganzi said:
Do you have adguard the desktop version on your pc if you have it then look no further that's the culprit, you will have to go in settings and change ev certificate settings, If you don't have it then there is where my help ends, because you said you are running windows defender and that does not do that, it's a certificate clash error.
Click to expand...
Thanks but no, I don't use Adguard desktop. Anyway that issue was fixed a long time ago. No problem now.
 
  • Like
Reactions: Terry Ganzi
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
CyberTech said:
try this?
www.howtogeek.com

How to Enable DNS Over HTTPS in Google Chrome

Chrome supports DNS over HTTPS (DoH), but it's not enabled by default yet. Here's how to turn it on.
www.howtogeek.com www.howtogeek.com
Click to expand...
It didn't work, even when I changed the DNS in Windows and flushed DNS, etc. Chromium still managed to completely bypass the network adapter setting and continued using my un-secure and un-private ISP's DNS. This is a deal-breaker, unfortunately.
 
  • Like
Reactions: cryogent, Handsome Recluse and CyberTech
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
South Park said:
It didn't work, even when I changed the DNS in Windows and flushed DNS, etc. Chromium still managed to completely bypass the network adapter setting and continued using my un-secure and un-private ISP's DNS. This is a deal-breaker, unfortunately.
Click to expand...
I tried it again with Nirsoft's DNS switcher, and discovered that Edge legacy also completely ignores the Windows 10 DNS setting and uses the ISP's DNS. Apparently the flag to set a custom DNS was removed from Chromium 81, so it will probably disappear from Slimjet too. This, and the ability to use ESNI (which Chromium still doesn't support), leaves Firefox as the best option for DNS privacy at the present time.
 
  • Like
Reactions: cryogent, SeriousHoax and harlan4096
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
South Park said:
I tried it again with Nirsoft's DNS switcher, and discovered that Edge legacy also completely ignores the Windows 10 DNS setting and uses the ISP's DNS. Apparently the flag to set a custom DNS was removed from Chromium 81, so it will probably disappear from Slimjet too. This, and the ability to use ESNI (which Chromium still doesn't support), leaves Firefox as the best option for DNS privacy at the present time.
Click to expand...
I've done some more research on this. The command-line switches seem to have been removed from Chromium 81, but the devs say they plan to add a DoH setting in the Privacy and Security section of the UI at some point. (I did not see any such setting in a build of Chromium 84 that I tested today.)

I believe my DNS situation is somewhat unique because my only Internet access is currently through hotel WiFi which uses a captive portal to log in. I believe this is why my custom Windows 10 DNS settings are bypassed, but not the browser-level settings. (The captive portal works fine in Firefox, even with custom DoH and no fallback allowed.)
 
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
DSD27 said:
Should we all enable this?
Click to expand...
I'd say yes, especially if you don't trust your ISP or its privacy policies. If DoH is properly implemented (like it is on the Firefox browser), you can choose a no-logging DNS provider like Quad9 or AdGuard DNS. (I use Quad9 on FF.)

I should note that some people feel that DoH isn't secure enough or that a lack of DNS providers could centralize the Internet, but I don't share their concerns.
 
  • Like
Reactions: DSD27, harlan4096 and CyberTech
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,765
South Park said:
I'd say yes, especially if you don't trust your ISP or its privacy policies. If DoH is properly implemented (like it is on the Firefox browser), you can choose a no-logging DNS provider like Quad9 or AdGuard DNS. (I use Quad9 on FF.)

I should note that some people feel that DoH isn't secure enough or that a lack of DNS providers could centralize the Internet, but I don't share their concerns.
Click to expand...
Your ISP still sees every IP you connect through their firewall to without a VPN.
 
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
blackice said:
Your ISP still sees every IP you connect through their firewall to without a VPN.
Click to expand...
I know it's not a perfect solution, but it makes it a little bit more difficult for the ISP to block websites or do bulk collection. With ESNI (enabled on Cloudflare-hosted sites), I think the ISP can only see the IP address connected to, rather than the actual domain name.
 
  • Like
Reactions: blackice
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,765
South Park said:
I know it's not a perfect solution, but it makes it a little bit more difficult for the ISP to block websites or do bulk collection. With ESNI (enabled on Cloudflare-hosted sites), I think the ISP can only see the IP address connected to, rather than the actual domain name.
Click to expand...
I was using 3rd party dns for years. But with a recent issue with my router it’s not working right. It got me wondering if I wanted to add yet another company the the pot of people who have access to my browsing. Like you said the ISP is always going to know the first IP you’re connecting to. Just another company to be lying or get breached. Just thinking out loud.
 
  • Like
Reactions: South Park
DSD27

DSD27

Level 5
Well-known
Apr 15, 2020
227
South Park said:
I'd say yes, especially if you don't trust your ISP or its privacy policies. If DoH is properly implemented (like it is on the Firefox browser), you can choose a no-logging DNS provider like Quad9 or AdGuard DNS. (I use Quad9 on FF.)

I should note that some people feel that DoH isn't secure enough or that a lack of DNS providers could centralize the Internet, but I don't share their concerns.
Click to expand...
Nince, I use Quad9 too, on my router.
 
  • Like
Reactions: Moonhorse and South Park

Similar threads

silversurfer
    • Like
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC
Replies
0
Views
1,047
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
    • Thanks
Malware News Proxy Trojan Targets macOS Users for Traffic Redirection
Replies
1
Views
1,039
Security News
simmerskool
simmerskool
Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Security News ExpressVPN bug has been leaking some DNS requests for years
Replies
0
Views
866
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top