Google Chrome developers have announced plans to roll out DNS-over-HTTPS (DoH) support to Chrome web browser for Linux.
DoH has been supported on Google Chrome for other platforms, including Windows, Mac, ChromeOS, and Android, since at least 2020.
While the exact version of Chrome for Linux that would come out with DoH support is yet to be announced, the Chromium project expects either M91 or M92 to contain the feature.
Google to roll out DoH support on Chrome for Linux
Yesterday, the open-source Chromium project which powers the Google Chrome web browser announced plans to release a Chrome for Linux version with DNS-over-HTTPS support.
Since 2020, Google Chrome has already been supporting DoH on platforms like Windows, Mac, ChromeOS, and Android under a Chrome feature called “Secure DNS.”
DoH encrypts regular DNS traffic over HTTPS with both DNS requests and responses being transmitted over port 443, making the traffic blend right in with regular traffic to HTTPS websites.
This not only provides end-to-end encryption to the user but also extended privacy, as now their DNS traffic cannot easily be intercepted by a network administrator.
“Chrome has never supported DoH on Linux because that would require Chrome’s built-in DNS client, which itself is currently disabled on Linux,” reads the design document for this upcoming feature.
Chrome has always delegated host resolution on Linux to the operating system’s DNS resolver, except with non-standard policy settings.
Furthermore, the web browser’s built-in DNS client had been left disabled on Linux implementation for years because Chrome did not honor advanced Linux DNS configuration via the Linux Name Configuration Switch file (nsswitch.conf), explains Chromium developer Eric Orth in the document.
“The reason it is not yet supported is because of Linux’s variability and advanced configurability.”
“Chrome would need more advanced parsing of Linux configurations to avoid overriding or otherwise interfering with such advanced configurations,” Orth had stated last year.
So, what’s the catch?
This is where it gets interesting and goes back to the previous point.
To make Chrome’s built-in DNS resolver work smoothly with Linux, Chrome needs to read and parse Linux DNS configuration to be able to disable DoH on unsupported configurations.
Specifically, support needs to be built-in so that Chrome can honor the advanced host resolution configuration settings specified in the nsswitch.conf file.
“As Chrome’s resolver does not support changing such mechanisms or their order, Chrome’s support for respecting nsswitch.conf will be limited to detection of whether or not the configuration is a common configuration compatible with Chrome behavior,” explains the design document.
Should this not be the case, Chrome will not switch to DoH or use the built-in DNS resolver unless the user explicitly selects a DoH server in Chrome’s settings.
Moreover, although DoH brings with it added security and privacy for the user, there are some minor caveats with any DoH implementation, regardless of what platform.
Merely being end-to-end encrypted does not make DoH service providers immune to abuse by adversaries.
As previously reported by BleepingComputer, attackers have very much abused Google’s own DNS-over-HTTPS service to facilitate their malware’s command-and-control (C2) activities.
Additionally, because DoH functions over multiple networking layers (it is really DNS over HTTP over TLS), minor latency is expected affecting page load times.
Thankfully, Chrome developers have accounted for this:
“If a resulting DoH server performs poorly compared to the previous Classic DNS server, page load performance could be negatively affected.”
“But the default mode is to only upgrade to same-provider DoH servers which are expected to have similar performance,” explains Orth.
In DoH rollouts on non-Linux platforms made by Google so far, DoH was found to be only slightly slower than classic DNS and caused “insignificant” impact to overall Chrome performance.
The Chromium project is yet to announce what version of Google Chrome for Linux will have DoH support.
But, Google developers expect the feature to come out in either upcoming version M91 or M92 of Chrome for Linux.
Source: https://www.bleepingcomputer.com/news/security/google-chrome-for-linux-is-getting-dns-over-https-but-theres-a-catch/