DNS over HTTPS (DoH) is a feature recently added to several web browsers that allows DNS to bypass the system DNS stack over HTTPS. In many cases, Umbrella users may wish to disable this functionality to ensure that web browsers do not override any Umbrella settings.
Firefox and Chrome both provide DoH functionality and the ability to prevent DoH use on your network and managed computers; however, DoH implementations differ greatly between browsers.
Firefox will operate with a default-on DoH setting where DNS is sent to CloudFlare by default at 220.127.116.11. This setting does not take the system DNS setting into account.
To combat this, Umbrella will by default set the override to disable DoH (see our article here for more information); however, this override will only take effect if there are no explicitly set DoH settings. To ensure that DoH is never enabled to divert Firefox DNS away from the system settings, GPO settings are required.
To disable, set the value for "network.trr.mode" to 0. For more information, see the Firefox TRR settings in detail at https://wiki.mozilla.org/Trusted_Recursive_Resolver.
Chrome will be adding support for DoH for several providers including Umbrella. Unlike Firefox, Chrome DoH will only enable when system DNS is observed to be a participating DNS provider. Therefore, it will not enable if system DNS is a local DNS server or the roaming client, but would enable if local DNS is 18.104.22.168 and 22.214.171.124. Therefore, Chrome does not direct your DNS away from system DNS, but enhances it with DoH.
During the initial stages of the Chrome DoH experiment, Chrome will disable DoH if the device is managed, AD joined, or has an Enterprise policy applied.
See https://www.chromium.org/developers/dns-over-https for more details.