The DNS over HTTPS (DoH) support in Google Chrome and other Chromium based web browser is still categorized under experimental features, and hence there is no easily accessible settings on GUI (graphical user interface) yet to toggle between enabling and disabling the DNS over HTTPS support.
However, if you still want Chrome to resolve the DNS lookup queries securely through DoH, you can enable the DNS over HTTPS feature in Chrome manually. The flag, and this tutorial, should apply to all Chromium-based web browsers such as Google Chrome, Microsoft Edge Chromium, Brave, Opera (which has controls in Settings too), Vivaldi, Amazon Silk and more, as the development of DNS over HTTPS takes place in Chromium.
How to Enable DNS over HTTPS in Chrome, Edge and other Chromium-based Browser
In Chrome’s address bar, enter chrome://flags/#dns-over-https and set Secure DNS Lookups to Enabled.
Hit the Relaunch button to restart the web browser for the change to take effect.
Once enabled, Chrome will automatically upgrade to use DoH to encrypt all DNS lookup with its own DNS implementation if the DNS servers used by the operating system support DNS over HTTPS, bypassing Windows DNS resolver (if you have Windows 10′ DNS over HTTPS support, you no need to enable them separately in browser). As such, you need to configure the operating system to use the IP addresses of DNS servers that support DNS over HTTPS. In Windows, follow these steps to configure DNS servers in the Control Panel:
- Open Control Panel.
- Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
- Right click on the connection you want to add a DNS server to and select Properties.
- Select either Internet Protocol Version 4 (TCP/IPv4) and/or Internet Protocol Version 6 (TCP/IPv6) and click Properties.
- Select the Use the following DNS server addresses radio button, and add the DNS server addresses into the fields below.
- Click OK or Apply to close all the dialog window.
- Restart the computer.
Chromium does not officially specifies which its built-in DNS implementation recognized as supporting DoH, but it should includes popular recursive resolver such as Cloudflare, Google, OpenDNS, Quad9, Cleanbrowsing, Comcast, DNS.SB and more. Another limitation is that Chrome looks for DNS servers’ IP addresses on the device it’s running specifically. So you can’t use IP address of a local DNS forwarder or server, such as router, otherwise Chrome will not upgrade to using DoH.
Note that if your Google Chrome, Edge and other Chromium-based browsers have any of the following conditions, the setting will be locked down (“Secure DNS lookups” is removed from chrome://flags) and DoH related command line options (if any) will be ignored:
- Operating system parental controls are detected.
- Detected managed environment (no DoH enterprise policies set) -> locked in “off”.
- Detected managed environment (with DoH enterprise policies set) – > locked with a state reflecting the enterprise policies.
Instead of auto-upgrading to DNS over HTTPS based on IP address set in OS, advanced users can also enable DNS over HTTPS via command-line flags when launching Chrome. The command-line flags also allows advanced users to configure Chrome to use specific HTTPS endpoints directly with two parameters: Fallback and Templates.
To start Chrome with DNS over HTTPS support from command line or shortcut, append the following parameters to Chrome.exe (for Chrome), msedge.exe (for Edge), and etc.:
--enable-features="DnsOverHttps<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:Fallback/true/Templates/https%3A%2F%2Fcloudflare-dns.com%2Fdns-query"
Example above use Cloudflare’s DNS template. If you prefer another DoH-supported DNS service, change the URL accordingly. You must escape the URL (replace : with %3A and / with %2F).
The Fallback param allows the default SecureDnsMode used by the HostResolverManager to be set to AUTOMATIC (true) or SECURE (false). The Templates param allows multiple DoH templates separated by spaces to be used in either AUTOMATIC or SECURE mode. Invalid templates are dropped, and among valid templates, the configured HTTP method is GET if the template contains a “dns” variable, and is POST otherwise.
Once the DNS over HTTPS settings UI is ready in Chrome, the process to turn on or off DoH will be easier. In fact, Opera browser, based on Chromium too, already has built-in UI to allow users to enable or disable browser’s DNS over HTTPS support.
To access the DoH settings in Opera, type opera://settings in the address bar, expand Advanced, go to Browser and locate System section. Toggle Use DNS-over-HTTPS instead of the system’s DNS settings to On to enable DoH or Off to disable DoH. You can also select or specify custom DNS-over-HTTPS provider.