Enable DoH when Chrome is managed
For whatever reason your browser is locked out from changing the DoH settings? Here is how to change the settings if you have admin permissions.
It happened to me to buy a new laptop. This laptop comes with all the usual OEM stuff to manage security and updates. One of those software scans every downloaded file and marks its origin. To do that the software enables the GroupPolicyUsers and installs an extension.
Ok, cool but now whenever I want to change some Chrome (or even Firefox) settings I’m greeted with this message:
Since I wanted to use my NextDNS account I had to fix this.
First try was removing the User Policy by using a simble bash script found somewhere online
winbatch
@echo off
IF NOT EXIST %WINDIR%\\System32\\GroupPolicy goto next
echo Deleting GroupPolicy folder...
RD /S /Q "%WINDIR%\\System32\\GroupPolicy" || goto error
echo.
:next
IF NOT EXIST %WINDIR%\\System32\\GroupPolicyUsers goto next2
echo Deleting GroupPolicyUsers folder...
RD /S /Q "%WINDIR%\\System32\\GroupPolicyUsers" || goto error
echo.
:next2
gpupdate /force
pause
exit
:error
echo.
echo An unexpected error has occurred. ¨Have opened the program as an administrator (right click, run as administrator)?
echo.
pause
exitLook at all the delete folder commands so close to System32, that absolutely doesn’t make nervous.
But this resetted at every boot. A more robust soultion was needed.
Removing the OEM security software? I was afraid of breaking some weird software integration with the fingerprint and boot security software. 😅
Now the final solution: If you can’t remove the User Policy use it.
Looking up about the various admin policies on the Google Chrome website it’s possibile to find the ones useful for us: DnsOverHttpsMode and DnsOverHttpsTemplates.
Just set DnsOverHttpsMode to secure or automatic depending if you want it to not have an insecure fallback.
Then DnsOverHttpsTemplates you need to fill your DoH provider.
The Chrome Policy is a bit confusing but you just need to take the https URL and add /dns-query{?dns} after it (better explaination).
So if NextDNS provides you with https://dns.nextdns.io/123abc your URL to fill is https://dns.nextdns.io/123abc/dns-query{?dns}
Here is a list of various DoH providers with everything already filled in:
| Provider | Standard | Family Protection |
|---|---|---|
| AdGuard | https://dns.adguard.com/dns-query{?dns} | https://dns-family.adguard.com/dns-query{?dns} |
| Cloudflare | https://cloudflare-dns.com/dns-query{?dns} | https://family.cloudflare-dns.com/dns-query{?dns} |
https://dns.google/dns-query{?dns} | NA | |
| OpenDNS | https://doh.opendns.com/dns-query{?dns} | https://doh.familyshield.opendns.com/dns-query{?dns} |
| Quad91 | https://dns.quad9.net/dns-query{?dns} | NA |
Bot how to enable it? You can edit manual through regedit or you can copy this code in a new file and save it with a .reg extension. You can directly insert your DNS of choice in place of the default Google one.
registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"DnsOverHttpsTemplates"="https://dns.google/dns-query{?dns}"
"DnsOverHttpsMode"="automatic"