Force Chrome and Edge to use local DNS

The situation.

As also described in the articles regarding the home dashboard and Openhab, there is often a need to define an internal DNS server on the local network under our control. Basically, in order to direct users on the local network to employ the local DNS, it would suffice to correctly set the IP address of the DNS server in the DHCP server parameters, so that the information reaches all hosts that acquire the network parameters.

The problem

For some time now, however, I have been witnessing a peculiar phenomenon, HTTP requests from an internal network host to an internal url handled by the local dns Server are not being handled within the network. I end up with the strange situation where the operating system uses the local DNS, resolving the ip address correctly as a private IP address, while my browser tries to reach the host via the public IP address, effectively bouncing the request outside the local network. This causes problems for authentication systems that make use of the sender IP address to determine the degree of authentication.

My browser (Microsoft Edge and Google Chrome) is actually ignoring the dns set at the operating system level.

DoH - Dns Over Https

DNS over HTTPS (DoH) is a protocol that combines traditional domain name resolution via DNS, with an encrypted and secure HTTPS connection. The main goal of the protocol is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks. In practice, DoH allows users' browsing information to be protected from being intercepted or manipulated by third parties.

To maintain a good level of security, we can exclude DoH from clients on a local network but continue to use it on the network’s local dns server. In this way the internal server collects requests from the network and also securely only requests for urls not pertaining to the local network.

The solution.

Disable the use of DoH Secure DNS.

Going into the browser settings I found the option to disable the use of secure DNS, as this option forces the browser to employ one of the public DNS servers via SSL authentication. All is well then, is this enough to solve the problem? No.

Disable flag

Apparently disabling that option only temporarily fixed the problem, making the browser’s behavior random. To solve the problem completely, you need to go and disable the browser’s flags related to asynchronous dns requests.

  • Navigate to edge://flags/ or chrome://flags/.
  • Disable #use-dns-https-svcb-alpn.
  • Disable #enable-async-dns (Chrome only).
  • Disable #encrypted-client-hello (Chrome only).
  • Restart the browser.

The other attempts

I tried everything, I configured the firewall to block outgoing DNS requests (except for my internal dns server) to port 54, 8053. But that didn’t work either.

Installing a DoH DNS server in the local network.

This is a work in progress, I am working on setting up a configuration of internal dns, NginxProxyManager, automatic SSL certificate and DoH DnsOverHttps or DnsOverTls. If you are interested in this topic please leave a comment!