Google Chrome to Support DNS of HTTPS

After Firefox in early September, Google had also revealed plans to support DNS over HTTPS (DoH).

In traditional DNS, the traffic between DNS servers and client that is looking up an address is going over the wire in un-encrypted and un-authenticated form. This means that the client does not know if the DNS server he is talking to is actually the correct server and that the connection has not been hijacked and he is delivered spoofed entries.

There have been efforts before to secure DNS traffic, and the most advanced and seasoned approach here is DNSCrypt, which is also using the default port TCP 443 (HTTPS) for its traffic.
The DNSCrypt v 2 protocol specification exists since 2013, but the protocol goes back to around 2008. It’s well tested and secure, and I would have expected this to be the quasi-standard to be used in Web browsers. In fact, Yandex browser already used this.

DNSCrypt setting in Yandex browser

The drop-down list display a long list of DNSCrypt services some of which allow filtering of adult, and/or known scamming sites.

The downside of DNSCrypt: It is currently not on a IETF standardization track.

The Firefox and Google approaches are different. They are based on DNS Queries over HTTPS (DoH) which as of October 2018 is an IETF standardization track and currently is “a proposed standard”, which you can read here.

Looking forward to see either of these two approaches implemented in all browsers. Of course, most Internet Access Providers don’t like their DNS Servers being circumvented, and it is likely they will try to appear as the default choice in your browser.
So your provider will still be able to log, filter and “spoof” your DNS look-ups.

Going to stay tuned on this one and follow developments closely.