Chrome secure DNS easily bypass NextDNS

Looks like when user goes to Chrome, and explictly select "NextDNS" as secure DNS provider, Chrome will send DoH queries to same DNS server currently using with client name "chromium-default", but without profile name. This makes users really easy to bypass NextDNS. 

Is it possible to block such client name in networks that has profiles already attached to it? I understand some mobile network operator or certain ISP uses carrier grade NAT and may not suitable for this situation, but this is more for cases when client has public WAN IP like comcast. 


4replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Also want to add as home user, I dont have tools like group policy or MDM that can disable chrome secure DNS options by policy :(

    Like 1
  • If someone uses DoH (with whatever provider) they can bypass any other DNS settings in the network, and it won't be easily blocked because it's just using Port 443. I'm not sure if Chrome has bootstrap IPs already built-in, otherwise you might be able to block "dns.nextdns.io" (and other DoH servers domains) in your custom settings. And you might also want to block the ports used for other DNS protocols like plaintext DNS or DoT in your network firewall.

  • Thanks for the reply. Yes, I have already blocked the plain DNS and DoT ports, but have hard time blocking DoH since it is using port 443😅 . I think Chrome has two Secure DNS settings:

    1) Automatic Secure DNS upgrade: This one can be blocked by domain "chromium.dns.nextdns.io" according to Chrome source code

    2) Explicitly selecting "NextDNS" as provider, which I "think" Chrome will query your existing DNS server, and send DoH queries to that server without profile. This however,  I tried with "OpenDNS" settings for example, "OpenDNS" will apply the network level filters no matter what, even when clients send DoH without profile name. Though I am hesitate to use "OpenDNS" due to the privacy policy. :) So wondering if NextDNS can do similar thing to apply network level filters on IP with DoH queries without profiles or able to disable "chromium-default" client name when there are profiles attached to the IP. 

    Another hard way to solve this is to setup a proxy to do inspection on traffic and block doh message type, which is not ideal and not good performance. 

  • I tried again, looks like blocking "dns.nextdns.io" solved the issue. Thanks!

Like Follow
  • 3 mths agoLast active
  • 4Replies
  • 165Views
  • 2 Following