[Headless] DNS over TLS not working in --headless=new mode

[Zhang, Yajie (Kathy)]

Hi, ALL:

We are deploying Chrome in headless mode on Linux servers for automated web access.

We require encrypted DNS (DoH/DoT) for security compliance. Testing reveals:

- ✅ DNS over HTTPS (DoH): Works via enterprise policies in headless mode

- ❌ DNS over TLS (DoT): Fails with all configuration methods in headless mode

My Case:

We run automated systems on Linux that need to:

1. Launch Chrome in --headless=new mode programmatically

2. Enforce encrypted DNS for all connections (security requirement)

3. Run in containerized environments 

Detailed Testing Results:

1. SUCCESS - DNS over HTTPS in headless:

   ```bash

   # Policy file: /etc/opt/chrome/policies/managed/dns.json

   {

     "DnsOverHttpsMode": "secure",

     "DnsOverHttpsTemplates": "https://dns.google/dns-query",

     "BuiltInDnsClientEnabled": true

   }

   

   # Launch command

   google-chrome --headless=new --no-sandbox --dump-dom https://example.com

   

   # Result: DoH works, network logs confirm secure DNS

2 FAILURE - DNS over TLS in headless:

 A. Enterprise policies (same directory as DoH)
{
  "DnsOverTlsMode": "secure",
  "DnsOverTlsServers": "dns.google",
  "BuiltInDnsClientEnabled": true
}

# B. Command-line arguments (tried all variations)
google-chrome --headless=new \
  --dns-over-tls-servers="dns.google" \
  --dns-over-tls-mode="secure"

google-chrome --headless=new \
  --enable-features="dns-over-tls" \
  --dns-over-tls-servers="dns.google"

google-chrome --headless=new \
  --secure-dns-mode=secure \
  --secure-dns-servers='dns.google'

# C. Feature flags with field trials
google-chrome --headless=new \
  --enable-features="dns-over-tls<Dot" \
  --force-fieldtrials="Dot/Enabled" \
  --force-fieldtrial-params="Dot.Enabled:mode/secure"

Technical Observations:
Policy System Behavior:
Same policy directory (/etc/opt/chrome/policies/managed/)
DoH policies are read and applied
DoT policies are read but ignored
chrome://policy shows both policies loaded
Network Stack Behavior:
From chrome net-log (--log-net-log)
{
  "dns_over_tls_active": false,      // Should be true
  "can_use_secure_dns_transactions": false,  // Should be true
  "secure_dns_mode": 0,              // 0=Off, 2=Secure expected
  "dns_over_tls_hostname": ""        // Empty, should be "dns.google"
}

Specific Questions for Chrome Team:
Support Status:
Is DNS over TLS officially supported in --headless=new mode?
If not supported, is this documented anywhere?
Are there plans to add support?
Configuration:
What is the CORRECT way to enable DoT in headless mode?
Why do enterprise policies work for DoH but not DoT?
Are there hidden dependencies (certificates, libraries)?
Technical Limitations:
Does DoT require system components unavailable in headless?
Is there a compile-time flag needed?
Does this relate to the network service sandbox?
Documentation:
Where can we find official documentation for headless DNS?
Are there example configurations for production use?
What are the security implications of this limitation?
Waiting for your response.

[Matt Menke]

Chrome does not, and never has, supported DNS over TLS at all - in headless, in non-headless, etc. "DnsOverTlsMode" is not a setting that exists anywhere in the Chrome code base. I'm unaware of any changes to add DNS over TLS support. If the underlying platform supports DoT, and you configure Chrome to use the system resolver, then Chrome will use DoT through calling the system getaddrinfo() method, though you do lose support for HTTPS records.

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/DM4PR10MB62306B8DDCE90F03B9792AB5F896A%40DM4PR10MB6230.namprd10.prod.outlook.com.