Enabling DOH and ECH Encryption in Chrome

Wed, 29 May 2024 06:46:10 +0700

TL;DR / [Geek Summary]:

Privacy Hardening: Enable DoH (DNS over HTTPS) to bypass DNS hijacking and snooping.

Deep Encryption: Force-enable ECH via chrome://flags to encrypt the SNI handshake.

Pro Tip: Pair with TUN mode proxies to prevent traffic leaks and ensure full-stack privacy.

# Materials Needed

Chrome Browser

# Steps

Enabling DOH

Open Chrome 1. In your browser settings, click “Privacy and Security” → “Security” in sequence.

Go to “Advanced” and enable “Use secure DNS”. Then select a DNS provider (if you don’t know, just choose Cloudflare).

Enable ECH

Open this address in your Chrome browser: chrome://flags/#encrypted-client-hello, and change the Encrypted ClientHello option to Enabled.

# Detection

Open this CF website: https://www.cloudflare.com/zh-cn/ssl/encrypted-sni/ , and click the “Check my browser” button.

If you see a checkmark under “Secure DNS”, it means DOH is enabled. If you see a checkmark under “Secure SNI”, it means ECH is enabled.

# Notes

If you are using a software router, this doesn’t matter and you don’t need to worry about it. If you are using other clients, you need to enable TUN. The mode allows it to take over all traffic; otherwise, the browser will not use its own DOH service but will instead hand it over to the proxy software for resolution, which in turn will be sent to the node server for DNS resolution, resulting in invalid traffic.

DOH on LEl_FENG Blog

Enabling DOH and ECH Encryption in Chrome

# Materials Needed

# Steps

# Detection

# Notes