Chrome relies on the operating system trust store, so the DPS CA must be imported at the OS level.
Linux (Ubuntu / Debian-based):
sudo cp ca.crt /usr/local/share/ca-certificates/dps-ca.crt
sudo update-ca-certificates
macOS:
ca.crt into the certificates listWindows:
ca.crtchrome://settings/securityAdvancedUse secure DNSUse secure DNS toggleWith Customhttps://localhost:8443/dns-query in the provider inputWe need to disable RFC-1918 restrictions on the browser to make it able to accept private IPs for hostnames resolved via DoH. The RFC-1918 defines what are private and public IPs, and browsers restrict their use in DoH responses because this is not considered a typical production use case.
Chrome blocks private IP resolution via DoH by default as a security measure.
chrome://flagsInsecure Private Network RequestsIn my tests, some real domains like .dev won’t work depending on the combination
of private ip + default port (80, 443), the browser will not accept to solve, so evict them, .com seems to work
normally;
You can track which names are being solved by accessing chrome://net-internals/#dns