If you’re trying to use Encrypted DNS on your MacOS using .mobileconfig files with profiles you might have noticed that Chromium based browsers (e.g., Chrome and MS Edge) don’t respect the settings defined by your profile.
This applies to all Encrypted DNS providers and all mobile configuration files, including CloudFlare, Cisco OpenDNS, NextDNS and the list goes on.
In our testing we noticed that regardless of the changes we made locally, the chromium based browsers always defaulted to plain text DNS set at the router, or locally on the device (i.e., IPv4 or IPv6).
This is happening because Chromium based browsers have a “built-in-resolver“. No, you will not see it chrome://flags/ or chrome://net-internals/#dns.
Instead, you will want to do this via command prompt.
How To Disable Built-In DNS Resolver on Chromium based Browsers on MacOS
If you’re on a MacOS you want to disable the Built-In DNS Resolver, you will do this via the terminal by running the following commands:
# For Chromium
defaults write org.chromium.Chromium BuiltInDnsClientEnabled -boolean false
# Google Chrome
defaults write com.google.Chrome BuiltInDnsClientEnabled -boolean false
# MS Edge
defaults write com.microsoft.Edge BuiltInDnsClientEnabled -bool falseThis does require a reboot to take effect. We tried closing all browsers, clearing caches, but it only worked after a full reboot.
How To Disable Built-In DNS Resolver on Chromium based Browsers on Windows
Windows is a bit more involved, but it happens in the registry key. See full instructions here.
Windows Registry Settings
- Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
- Path (Recommended): N/A
- Value Name: CECPQ2Enabled
- Value Type: REG_DWORD
Example value:
0x00000001See instructions link for information on how to deploy this via Group Policy (ADMX).
Alternative Solution is to Leverage Secure DNS
Alternatively, you can also choose to use the Secure DNS option in the browsers. This seems to add an additional configuration that shouldn’t be required, but it is an option.