[DoH] How to turn off with Group Policy

1,061 views
Skip to first unread message

miked...@gmail.com

unread,
Feb 28, 2020, 3:37:11 PM2/28/20
to net-dev
We use DNS filtering (Cisco Umbrella) on our company network, and DoH is going to cause this to break (and thus open up the flood gates on insecure sites, malware etc.). I see there is a flag in Chrome, but is there a group policy in the ADMX files (or will there be one) to force DoH off on company/enterprise networks?

Eric Orth

unread,
Feb 28, 2020, 5:12:45 PM2/28/20
to miked...@gmail.com, net-dev
If your network users are using your filtering DNS server, Chrome should continue using that server, and DoH should not break the filtering.  Chrome would only upgrade DNS to DoH if it could do so to that same filtering DNS provider.

If you are intercepting or blocking DNS requests to filter requests sent or attempted to be sent to any other DNS server, then you may need to ensure DoH is disabled for the filtering to keep working.  In the current experimental state of Chrome DoH support, DoH is automatically disabled if any group policies are set in the ADMX files.  We are working on adding group policies to specifically control DoH, and the current plan is for those settings to also default to disabling DoH if there are any group policies configured.  So I suspect you are likely already done with what you need to do to disable Chrome DoH.

And it is always good to keep in mind that malware often will not use Chrome or respect Chrome's configuration in resolving DNS.  Chrome can only control DNS requests made by Chrome.

On Fri, Feb 28, 2020 at 3:37 PM <miked...@gmail.com> wrote:
We use DNS filtering (Cisco Umbrella) on our company network, and DoH is going to cause this to break (and thus open up the flood gates on insecure sites, malware etc.). I see there is a flag in Chrome, but is there a group policy in the ADMX files (or will there be one) to force DoH off on company/enterprise networks?

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/4dfe75b0-2b32-43cb-b7c6-24fc47517d8a%40chromium.org.

deepak kashyap

unread,
Sep 23, 2020, 11:20:59 AM9/23/20
to net-dev, eric...@chromium.org, net-dev, miked...@gmail.com
@ miked...@gmail.com   

Could you also, let me know , how did you manage to disable DOH in you enterprise ?

I am also in similar situation and have tried  below policy but it is not working , DOH remains enabled in chrome.


Appreciate your help in this 
Reply all
Reply to author
Forward
0 new messages