[foodscraps]

I use PiHole with a DoH upstream. I want all devices on my network to use my DNS server. Mozilla's implementation is easily managed using their canary domain "use-application-dns.net" but Google doesn't have this option. I do not want any queries sent to Google. It is not feasible to manage chrome flags on every device, especially mobiles. Does anyone know if Chrome will be using their two public IP's, 8.8.8.8 and 8.8.4.4 for this new DoH service? If that is the case this will be easy to block at the network level. Thanks.

[Kalium]

Chrome Enterprise (which, contrary to what the name might suggest, is not a paid enterprise offering) offers management tooling for managing flags across many devices. Here's the flag for DoH: https://cloud.google.com/docs/chrome-enterprise/policies/?po...

[propogandist]

but Chrome Enterprise means it has to connect and phone home to Google all the time anyway, no? That defeats any potential benefit of having more control over the browser.

Given this is a "free" offering, the data being mined finances this service.

[Kalium]

If parent wants to manage Chrome configuration across N devices, Chrome Enterprise is a good tool for the job. They may or may not care if their data is on Google servers or not. They might consider these two items to be two entirely distinct and different benefits.

If parent wants to avoid having any of their data cross Google machines, you are completely correct that Chrome is the wrong tool for the job.

[codecasaurus]

Have you considered just blocking outgoing on port 53 on your network? There are a few too many devices out there that have hardcoded DNS and don't respect the resolver communicated to it. (Chromecast is an easy example.)

[foodscraps]

Yes, 53 is allowed only to pihole and dropped everywhere else. I just blocked 853 on each pfsense interface. I will see how it acts when I get off work.

[bryan_w]

I think they say in the article