The top browser makers have decided to move to secured DNS. On March this year, Chrome began supporting DNS-over-HTTPS, and Firefox began to enable DNS-over-HTTPS by default for US users.

That’s great and all, but I’m missing something. Why are browser makers deciding this?

OS support

Why are browsers implementing DNS changes, and not the operating system?

Microsoft already supports DNS-over-HTTPS in Windows 10, and Apple recently announced that the next macOS version (Big Sur) and iOS 14 will support encrypted DNS directly in the operating system.

So if the operating system already supports DNS-over-HTTPS, why are browsers implementing the change as well?

Ignored settings

The biggest problem when encrypted DNS is implemented browser-side is that browsers will ignore any DNS settings set in the operating system.

So if you have a custom DNS server running on your network (say, for example, a Pi-Hole), then the browser will just ignore that server and send queries directly to the encrypted DNS provider of its choosing.

Corporate admins are already having a complete nightmare with this change, since browsers will just ignore the DNS setting pushed out by the DHCP server. So if the DNS server pushes out custom DNS entries (such as employee-portal.ecorp.com), you wouldn’t be able to access these entries on the browser with encrypted DNS enabled.

Questionable privacy

The entire reason we’re implementing encrypted DNS is so that ISPs and other entities can’t spy on what we are doing.

But now, the encrypted DNS provider that the browser’s development team has chosen will get all of your DNS requests.

So you now have to trust that this DNS provider won’t do anything nefarious with your data, instead of your ISP. This would be mitigated if you can set which provider you trust to supply your DNS queries with, but good luck digging through seven different menus to find where the encrypted DNS settings are.

Caching

When my VPN disconnects sometimes the DNS cache table gets messed up. As a result, some websites stop working.

To fix this, I need to flush the cache. On Windows and macOS, there are commands that you can use to flush the DNS cache, and they’re relatively simple (ipconfig /flushdns, anyone?) But in Chrome and Firefox, you need to remember complex about:config strings in order to flush your DNS. Why?!

Why not just let the OS handle it? This leads back to the OS-support section above.


Again, I’m not an expert on this topic, but with the severe annoyances I’ve run into with encrypted DNS on the browser-side I just wanted to figure out if there is some kind of reason to this. Why are browsers implementing encrypted DNS when the same is available in the operating system? If you know the reason why please let me know.