The DNS protocol has come under scrutiny in the last few years because it remains one of the last bastions of unencrypted data transmission over the network. There have been multiple proposals to enhance security over DNS protocols such as
- DNS over TLS
There is considerable dissension in the community over what standards must be employed. While the various camps may disagree strongly with each other, their end goal is the same: DNS encryption.
Click here to directly jump to the section: How to enable DNS Over HTTPS (DoH) in Google Chrome.
Otherwise, read along to understand..
Let's rewind a little and talk about why this issue matters. As technology pervades more of our lives, our personal data is the "new oil".
All firms, ranging from advertising networks to marketing agencies, credit rating companies, etc. are interested in discovering all kinds of consumer behavior patterns. A constant tussle between privacy concerns and legitimate business concerns has ensued in the industry.
The early web was built completely on text-based protocols. As an observer, I could read all the data being transmitted over the wire in plain text. While this feature was great for debugging, it had its own set of issues.
As the web grew, the ability to read data on the wire attracted malicious actors. They leveraged this feature for hacking while legitimate businesses used it to track users without consent. This led to the introduction of HTTPs. Now, all the data being transmitted on the wire was encrypted and it was no longer easy to parse and interpret it.
Unfortunately, the DNS queries being made to resolve the URL to an IP were still being broadcasted in plain text. ISPs, router firmwares, firewalls etc could still make really good guesses on what the user was attempting to do just by looking at the URL.
As a user, if I opened facebook.com, I was most likely procrastinating. On the other hand, if I opened stackoverflow.com, I was most likely stuck on an issue. These behavioral interpretations based on our browsing patterns make DNS encryption important in our lives.
Once we start encrypting our DNS queries, middlewares can no longer interpret this data. Does it mean we are finally safe on the web? Absolutely NOT! You're never safe on the web!
If you'd like to understand the issue more deeply, please read Mozilla's fantastic post.
While it's super simple to do this in Firefox (read here for instructions), Chrome hasn't made it easy yet. This is how you can enable DoH on Chrome on MacOSX.
Assuming you've installed Google Chrome via the DMG, you should be able to see your Chrome application installed in
Create a new file in
cd /Applications/Google Chrome.app/Contents/ # Create new shell script to open Google Chrome with startup variables touch parameterized-chrome.sh vi parameterized-chrome.sh
Add the following in the shell script
#!/usr/bin/env bash exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ --enable-features="dns-over-https<DoHTrial" \ --force-fieldtrials="DoHTrial/Group1" \ --force-fieldtrial-params= \ "DoHTrial.Group1:server/https%3A%2F%2F18.104.22.168%2Fdns-query/method/POST"
These variables when provided to Chrome on startup enable the DNS Over HTTPS feature and connect to Cloudflare as a DNS resolver. Firefox also connects to Cloudflare as their default DNS resolver for this feature.
Info.plistfile. This is important in case you screw up and need to revert to the original configuration.
Info.plistfile. Find the section in the XML with the key: CFBundleExecutable. Edit the value from
#### Before making changes #### <key>CFBundleExecutable</key> <string>Google Chrome</string> #### After making changes #### <key>CFBundleExecutable</key> <string>parameterized-chrome.sh</string>
Save and exit the file.
You need to reload the launch services in order for these changes to take effect. You can do this by running the following command.
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister \ -f /Applications/Google\ Chrome.app
Restart the chrome browser. And you are done!
To test if the settings have taken effect, visit the page: https://22.214.171.124/help. Ideally, you should
see the page claiming DNS Over HTTPS is enabled. A sample screenshot is attached below:
Enjoy your newfound security!