Harden Google Chrome — Disable Secure DNS & Enforce Policies

Prevent Google Chrome from bypassing CleanBrowsing DNS by disabling Secure DNS, deploying enterprise policy templates, and restricting extensions.

Step 1: Why You Need to Harden Google Chrome

Google Chrome includes a built-in Secure DNS feature (DNS-over-HTTPS) that can bypass your network's DNS settings. When enabled, Chrome encrypts DNS queries and sends them directly to a provider like Google or Cloudflare, bypassing CleanBrowsing entirely.

Chrome also allows users to install extensions that can act as VPNs or proxies, providing another way to circumvent DNS-based content filtering. Hardening Chrome ensures your filtering remains effective.

Step 2: Download Chrome Enterprise Policy Templates

Google provides ADMX/ADML administrative templates for managing Chrome via Group Policy.

  1. Visit Chrome Enterprise download page
  2. Download the Chrome ADM/ADMX Templates (look for "Policy Templates" in the bundle)
  3. Extract the downloaded archive to access the policy template files

Step 3: Install ADMX Templates

Deploy the policy files to your Windows system:

:: Copy ADMX file to PolicyDefinitions
copy chrome.admx C:\Windows\PolicyDefinitions\

:: Copy ADML language file
copy chrome.adml C:\Windows\PolicyDefinitions\en-US\

Alternatively, you can use the legacy ADM format:

  1. Open the Group Policy Editor: press Win + R, type gpedit.msc, press Enter
  2. Navigate to Computer Configuration → Administrative Templates
  3. Right-click Administrative TemplatesAdd/Remove Templates
  4. Browse to and select the chrome.adm file

After installation, a Google Chrome section should appear under Administrative Templates.

Step 4: Disable DNS-over-HTTPS (DoH)

In the Group Policy Editor:

  1. Navigate to Computer Configuration → Administrative Templates → Google Chrome
  2. Find "Controls the mode of DNS-over-HTTPS"
  3. Set it to Enabled and select "Disable DNS-over-HTTPS"

Alternative: Force CleanBrowsing DoH

Instead of disabling DoH, you can force Chrome to use CleanBrowsing's DoH endpoint for encrypted, filtered DNS:

  1. Set "Controls the mode of DNS-over-HTTPS" to Enabled with "Enable DNS-over-HTTPS without insecure fallback"
  2. Set "Specify URI template of desired DNS-over-HTTPS resolver" to:
    https://doh.cleanbrowsing.org/doh/family-filter

Available CleanBrowsing DoH endpoints:

  • Family Filter: https://doh.cleanbrowsing.org/doh/family-filter
  • Adult Filter: https://doh.cleanbrowsing.org/doh/adult-filter
  • Security Filter: https://doh.cleanbrowsing.org/doh/security-filter

Step 5: Disable the Built-in DNS Client

Chrome has its own DNS resolver that can bypass system DNS settings:

  1. In the Group Policy Editor, navigate to Google Chrome policies
  2. Find "Use built-in DNS client"
  3. Set it to Disabled

This ensures Chrome uses the operating system's DNS resolver, which is configured to use CleanBrowsing.

Step 6: Enforce SafeSearch & Content Restrictions

While CleanBrowsing enforces SafeSearch at the DNS level, adding browser-level enforcement provides defense in depth:

  • "Force Google SafeSearch" → Set to Enabled
  • "Force minimum YouTube Restricted Mode" → Set to Enabled, choose Strict or Moderate
  • "Control SafeSites adult content filtering" → Set to Enabled

These policies lock SafeSearch and YouTube restrictions at the browser level, complementing the DNS-level enforcement from CleanBrowsing.

Step 7: Restrict Extensions

Block extensions that could bypass DNS filtering:

  1. Navigate to Google Chrome → Extensions in Group Policy
  2. Enable "Configure extension installation blocklist" and enter * to block all extensions
  3. Enable "Configure extension installation allow list" and add the IDs of any extensions you want to permit

This "deny all, allow specific" approach ensures only approved extensions can be installed.

Step 8: Registry Method (Alternative)

If Group Policy is not available, apply settings directly via the Windows Registry. Save as a .reg file and import:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"DnsOverHttpsMode"="off"
"BuiltInDnsClientEnabled"=dword:00000000
"ForceGoogleSafeSearch"=dword:00000001
"ForceYouTubeRestrict"=dword:00000002
"SafeSitesFilterBehavior"=dword:00000001

To apply via command line in an elevated Command Prompt:

reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v DnsOverHttpsMode /t REG_SZ /d "off" /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v BuiltInDnsClientEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v ForceGoogleSafeSearch /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v ForceYouTubeRestrict /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v SafeSitesFilterBehavior /t REG_DWORD /d 1 /f

Step 9: Verify Policies Are Applied

After making changes, confirm everything is working:

  1. Close and reopen Google Chrome
  2. Navigate to chrome://policy/ in the address bar
  3. Verify that all your configured policies appear with the correct values
  4. Navigate to chrome://settings/security and confirm that the Secure DNS toggle is greyed out or set to your chosen configuration
  5. Run nslookup -type=txt debug.cleanbrowsing.org in Command Prompt to verify DNS is resolving through CleanBrowsing

If policies do not appear, click "Reload policies" on the chrome://policy page or restart the computer.

Related Guides

Harden Microsoft Edge
Lock SafeSearch & Disable Blur Off
Configure Secure DNS on Chrome
Common Questions & Troubleshooting

Need more help?

Contact our support team for assistance.

Contact Support