https://www.theregister.co.uk/2019/09/10/chrome_78_dnsoverhttps/
Only days after Mozilla said it plans to make DNS-over-HTTPS (DoH) available by default gradually for Firefox users in the US, Google announced its intention to test DoH in Chrome 78, due for beta release in the next two weeks.
DoH wraps domain-name queries in a secure, encrypted HTTPS connection to a DNS server, rather than firing off requests using bog-standard plain-text insecure DNS, thereby keeping queries inaccessible to eavesdroppers. It's one of several emerging internet protocols intended to close security and privacy gaps in online communications.
Google's experiment will involve checking whether Chrome 78 users' DNS provider is among six services selected for their readiness to test DoH – Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS and Quad9. And if so, Chrome will switch from standard DNS to DoH using the same service provider, at least for those lucky few in the experimental group.
Google is thus avoiding one of the concerns raised by Mozilla's approach, forcing Firefox users to change their chosen DNS provider for Cloudflare. In so doing, Google ensures that malware screening and parental filtering capabilities offered by DNS providers will continue to function, if possible under DoH.
(Score: 0) by Anonymous Coward on Saturday September 14 2019, @01:22AM
Just add the stuff to your firewall. Block port 53 on both UDP and TCP from leaving your network, except from you server and it is solved. For DoH, just block all traffic to Google's DNS servers, as they almost have to use hard-coded IP addresses to bootstrap the process. Heck, you can even check your firewall for addresses not previously resolved via your DNS server, or set it up to not allow any connection out that isn't on your whitelist or resolved greylist.