Configure the insecure and secure parts of the async resolver separately.

We can now set the secure dns mode to AUTOMATIC and turn the insecure part of
the resolver off, which will result in the async resolver issuing DoH requests
and falling back to the system resolver without attempting to send plaintext
DNS requests itself.

In a follow up cl, the secure dns mode part of the configuration will be read from
prefs. For now, we continue to set the mode to AUTOMATIC if there are DoH servers
specified and to OFF otherwise.

Bug: 985589
Change-Id: Ia40cbae1fdd57e19e925e125dcf1e82289220242
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1709928
Commit-Queue: Katharine Daly <dalyk@google.com>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Eric Orth <ericorth@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680161}

chrome/browser/net/system_network_context_manager.cc

@@ -84,11 +84,15 @@ SystemNetworkContextManager* g_system_network_context_manager = nullptr;
 
 void GetStubResolverConfig(
     PrefService* local_state,
-    bool* stub_resolver_enabled,
+    bool* insecure_stub_resolver_enabled,
+    net::DnsConfig::SecureDnsMode* secure_dns_mode,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
   DCHECK(!dns_over_https_servers->has_value());
 
+  *insecure_stub_resolver_enabled =
+      local_state->GetBoolean(prefs::kBuiltInDnsClientEnabled);
+
   const auto& doh_server_list =
       local_state->GetList(prefs::kDnsOverHttpsServers)->GetList();
   const auto& doh_server_method_list =
@@ -128,20 +132,24 @@ void GetStubResolverConfig(
     }
   }
 
-  *stub_resolver_enabled =
-      dns_over_https_servers->has_value() ||
-      local_state->GetBoolean(prefs::kBuiltInDnsClientEnabled);
+  // TODO(crbug.com/985589): Read secure dns mode from prefs.
+  if (dns_over_https_servers->has_value())
+    *secure_dns_mode = net::DnsConfig::SecureDnsMode::AUTOMATIC;
+  else
+    *secure_dns_mode = net::DnsConfig::SecureDnsMode::OFF;
 }
 
 void OnStubResolverConfigChanged(PrefService* local_state,
                                  const std::string& pref_name) {
-  bool stub_resolver_enabled;
+  bool insecure_stub_resolver_enabled;
+  net::DnsConfig::SecureDnsMode secure_dns_mode;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(local_state, &stub_resolver_enabled,
-                        &dns_over_https_servers);
+  GetStubResolverConfig(local_state, &insecure_stub_resolver_enabled,
+                        &secure_dns_mode, &dns_over_https_servers);
   content::GetNetworkService()->ConfigureStubHostResolver(
-      stub_resolver_enabled, std::move(dns_over_https_servers));
+      insecure_stub_resolver_enabled, secure_dns_mode,
+      std::move(dns_over_https_servers));
 }
 
 // Constructs HttpAuthStaticParams based on |local_state|.
@@ -554,13 +562,15 @@ void SystemNetworkContextManager::OnNetworkServiceCreated(
 
   // Configure the stub resolver. This must be done after the system
   // NetworkContext is created, but before anything has the chance to use it.
-  bool stub_resolver_enabled;
+  bool insecure_stub_resolver_enabled;
+  net::DnsConfig::SecureDnsMode secure_dns_mode;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(local_state_, &stub_resolver_enabled,
-                        &dns_over_https_servers);
+  GetStubResolverConfig(local_state_, &insecure_stub_resolver_enabled,
+                        &secure_dns_mode, &dns_over_https_servers);
   content::GetNetworkService()->ConfigureStubHostResolver(
-      stub_resolver_enabled, std::move(dns_over_https_servers));
+      insecure_stub_resolver_enabled, secure_dns_mode,
+      std::move(dns_over_https_servers));
 
 #if defined(OS_LINUX) && !defined(OS_CHROMEOS)
   const base::CommandLine& command_line =
@@ -706,10 +716,12 @@ void SystemNetworkContextManager::FlushNetworkInterfaceForTesting() {
 }
 
 void SystemNetworkContextManager::GetStubResolverConfigForTesting(
-    bool* stub_resolver_enabled,
+    bool* insecure_stub_resolver_enabled,
+    net::DnsConfig::SecureDnsMode* secure_dns_mode,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
-  GetStubResolverConfig(g_browser_process->local_state(), stub_resolver_enabled,
+  GetStubResolverConfig(g_browser_process->local_state(),
+                        insecure_stub_resolver_enabled, secure_dns_mode,
                         dns_over_https_servers);
 }
 

chrome/browser/net/system_network_context_manager.h

@@ -130,7 +130,8 @@ class SystemNetworkContextManager {
 
   // Returns configuration that would be sent to the stub DNS resolver.
   static void GetStubResolverConfigForTesting(
-      bool* stub_resolver_enabled,
+      bool* insecure_stub_resolver_enabled,
+      net::DnsConfig::SecureDnsMode* secure_dns_mode,
       base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
           dns_over_https_servers);
 

chrome/browser/net/system_network_context_manager_browsertest.cc

@@ -30,25 +30,31 @@
 namespace {
 
 void GetStubResolverConfig(
-    bool* stub_resolver_enabled,
+    bool* insecure_stub_resolver_enabled,
+    net::DnsConfig::SecureDnsMode* secure_dns_mode,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
   dns_over_https_servers->reset();
 
   SystemNetworkContextManager::GetStubResolverConfigForTesting(
-      stub_resolver_enabled, dns_over_https_servers);
+      insecure_stub_resolver_enabled, secure_dns_mode, dns_over_https_servers);
 }
 
 // Checks the values returned by GetStubResolverConfigForTesting() match
 // |async_dns_feature_enabled| (With empty DNS over HTTPS prefs). Then sets
 // various DNS over HTTPS servers, and makes sure the settings are respected.
+// TODO(crbug.com/985589): Check that the SecureDnsMode is read correctly from
+// the prefs once it is stored there.
 void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   // Check initial state.
-  bool stub_resolver_enabled = !async_dns_feature_enabled;
+  bool insecure_stub_resolver_enabled = !async_dns_feature_enabled;
+  net::DnsConfig::SecureDnsMode secure_dns_mode;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
 
   // Check state after setting various DNS over HTTPS preferences.
@@ -74,8 +80,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   servers.GetList().push_back(base::Value(kGoodGetTemplate));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -83,8 +91,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -94,8 +104,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -105,8 +117,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(3.14));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -116,8 +130,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -127,8 +143,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(true, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(1u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodPostTemplate, dns_over_https_servers->at(0)->server_template);
@@ -143,8 +161,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(true, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(1u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodGetTemplate, dns_over_https_servers->at(0)->server_template);
@@ -159,8 +179,10 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kGet));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(true, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(2u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodPostTemplate, dns_over_https_servers->at(0)->server_template);
@@ -173,13 +195,17 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   // Test case with policy BuiltInDnsClientEnabled enabled.
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   local_state->Set(prefs::kBuiltInDnsClientEnabled,
                    base::Value(!async_dns_feature_enabled));
-  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
-  EXPECT_EQ(!async_dns_feature_enabled, stub_resolver_enabled);
+  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
+                        &dns_over_https_servers);
+  EXPECT_EQ(!async_dns_feature_enabled, insecure_stub_resolver_enabled);
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
   EXPECT_FALSE(dns_over_https_servers.has_value());
 }
 

services/network/network_service.cc

@@ -31,7 +31,6 @@
 #include "net/cert/cert_database.h"
 #include "net/cert/ct_log_response_parser.h"
 #include "net/cert/signed_tree_head.h"
-#include "net/dns/dns_config.h"
 #include "net/dns/dns_config_overrides.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
@@ -451,17 +450,16 @@ void NetworkService::CreateNetworkContext(
 }
 
 void NetworkService::ConfigureStubHostResolver(
-    bool stub_resolver_enabled,
+    bool insecure_dns_client_enabled,
+    net::DnsConfig::SecureDnsMode secure_dns_mode,
     base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>>
         dns_over_https_servers) {
-  // If the stub resolver is not enabled, |dns_over_https_servers| has no
-  // effect.
-  DCHECK(stub_resolver_enabled || !dns_over_https_servers);
   DCHECK(!dns_over_https_servers || !dns_over_https_servers->empty());
 
   // Enable or disable the insecure part of DnsClient. "DnsClient" is the class
   // that implements the stub resolver.
-  host_resolver_manager_->SetInsecureDnsClientEnabled(stub_resolver_enabled);
+  host_resolver_manager_->SetInsecureDnsClientEnabled(
+      insecure_dns_client_enabled);
 
   // Configure DNS over HTTPS.
   if (!dns_over_https_servers || dns_over_https_servers.value().empty()) {
@@ -475,9 +473,7 @@ void NetworkService::ConfigureStubHostResolver(
     overrides.dns_over_https_servers.value().emplace_back(
         doh_server->server_template, doh_server->use_post);
   }
-  // TODO(crbug.com/985589): Allow the secure dns mode to be set independently
-  // of the insecure part of the stub resolver.
-  overrides.secure_dns_mode = net::DnsConfig::SecureDnsMode::AUTOMATIC;
+  overrides.secure_dns_mode = secure_dns_mode;
   host_resolver_manager_->SetDnsConfigOverrides(overrides);
 }
 

services/network/network_service.h

@@ -23,6 +23,7 @@
 #include "base/timer/timer.h"
 #include "build/build_config.h"
 #include "mojo/public/cpp/bindings/binding.h"
+#include "net/dns/dns_config.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/log/net_log.h"
 #include "net/log/trace_net_log_observer.h"
@@ -142,7 +143,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
   void CreateNetworkContext(mojom::NetworkContextRequest request,
                             mojom::NetworkContextParamsPtr params) override;
   void ConfigureStubHostResolver(
-      bool stub_resolver_enabled,
+      bool insecure_dns_client_enabled,
+      net::DnsConfig::SecureDnsMode secure_dns_mode,
       base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>>
           dns_over_https_servers) override;
   void DisableQuic() override;

services/network/network_service_unittest.cc

@@ -22,6 +22,7 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
 #include "net/base/escape.h"
+#include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/url_util.h"
 #include "net/dns/dns_config_service.h"
@@ -443,23 +444,55 @@ TEST_F(NetworkServiceTest, AuthEnableNegotiatePort) {
 #if !defined(OS_IOS)
 
 TEST_F(NetworkServiceTest, DnsClientEnableDisable) {
-  // HostResolver::GetDnsConfigAsValue() returns nullptr if the stub resolver is
-  // disabled.
-  EXPECT_FALSE(service()
-                   ->host_resolver_manager()
-                   ->GetInsecureDnsClientEnabledForTesting());
+  // Set valid DnsConfig.
+  net::DnsConfig config;
+  config.nameservers.push_back(net::IPEndPoint());
+  service()->host_resolver_manager()->SetBaseDnsConfigForTesting(config);
+
   service()->ConfigureStubHostResolver(
-      true /* stub_resolver_enabled */,
+      true /* insecure_dns_client_enabled */,
+      net::DnsConfig::SecureDnsMode::OFF,
       base::nullopt /* dns_over_https_servers */);
   EXPECT_TRUE(service()
                   ->host_resolver_manager()
                   ->GetInsecureDnsClientEnabledForTesting());
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
+            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
+
+  service()->ConfigureStubHostResolver(
+      false /* insecure_dns_client_enabled */,
+      net::DnsConfig::SecureDnsMode::OFF,
+      base::nullopt /* dns_over_https_servers */);
+  EXPECT_FALSE(service()
+                   ->host_resolver_manager()
+                   ->GetInsecureDnsClientEnabledForTesting());
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
+            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
+
   service()->ConfigureStubHostResolver(
-      false /* stub_resolver_enabled */,
+      false /* insecure_dns_client_enabled */,
+      net::DnsConfig::SecureDnsMode::AUTOMATIC,
       base::nullopt /* dns_over_https_servers */);
   EXPECT_FALSE(service()
                    ->host_resolver_manager()
                    ->GetInsecureDnsClientEnabledForTesting());
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
+            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
+
+  std::vector<mojom::DnsOverHttpsServerPtr> dns_over_https_servers_ptr;
+  mojom::DnsOverHttpsServerPtr dns_over_https_server =
+      mojom::DnsOverHttpsServer::New();
+  dns_over_https_server->server_template = "https://foo/";
+  dns_over_https_server->use_post = true;
+  dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
+  service()->ConfigureStubHostResolver(false /* insecure_dns_client_enabled */,
+                                       net::DnsConfig::SecureDnsMode::AUTOMATIC,
+                                       std::move(dns_over_https_servers_ptr));
+  EXPECT_FALSE(service()
+                   ->host_resolver_manager()
+                   ->GetInsecureDnsClientEnabledForTesting());
+  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC,
+            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
 }
 
 TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
@@ -487,7 +520,8 @@ TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
   dns_over_https_server->use_post = kServer1UsePost;
   dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
 
-  service()->ConfigureStubHostResolver(true /* stub_resolver_enabled */,
+  service()->ConfigureStubHostResolver(false /* insecure_dns_client_enabled */,
+                                       net::DnsConfig::SecureDnsMode::AUTOMATIC,
                                        std::move(dns_over_https_servers_ptr));
   EXPECT_TRUE(service()->host_resolver_manager()->GetDnsConfigAsValue());
   const auto* dns_over_https_servers =
@@ -510,7 +544,8 @@ TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
   dns_over_https_server->use_post = kServer3UsePost;
   dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
 
-  service()->ConfigureStubHostResolver(true /* stub_resolver_enabled */,
+  service()->ConfigureStubHostResolver(true /* insecure_dns_client_enabled */,
+                                       net::DnsConfig::SecureDnsMode::SECURE,
                                        std::move(dns_over_https_servers_ptr));
   EXPECT_TRUE(service()->host_resolver_manager()->GetDnsConfigAsValue());
   dns_over_https_servers =

services/network/public/cpp/host_resolver.typemap

 # Copyright 2018 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
+# found in the LICENSE file.
 
 mojom = "//services/network/public/mojom/host_resolver.mojom"
 public_headers = [
+  "//net/dns/dns_config.h",
   "//net/dns/dns_config_overrides.h",
   "//net/dns/host_resolver.h",
   "//net/dns/host_resolver_source.h",
@@ -22,4 +23,5 @@ type_mappings = [
   "network.mojom.DnsQueryType=net::DnsQueryType",
   "network.mojom.ResolveHostParameters.Source=net::HostResolverSource",
   "network.mojom.MdnsListenClient.UpdateType=net::HostResolver::MdnsListener::Delegate::UpdateType",
+  "network.mojom.SecureDnsMode=net::DnsConfig::SecureDnsMode",
 ]

services/network/public/cpp/host_resolver_mojom_traits.cc

@@ -373,4 +373,38 @@ bool EnumTraits<MdnsListenClient::UpdateType,
   }
 }
 
+// static
+network::mojom::SecureDnsMode
+EnumTraits<network::mojom::SecureDnsMode, net::DnsConfig::SecureDnsMode>::
+    ToMojom(net::DnsConfig::SecureDnsMode secure_dns_mode) {
+  switch (secure_dns_mode) {
+    case net::DnsConfig::SecureDnsMode::OFF:
+      return network::mojom::SecureDnsMode::OFF;
+    case net::DnsConfig::SecureDnsMode::AUTOMATIC:
+      return network::mojom::SecureDnsMode::AUTOMATIC;
+    case net::DnsConfig::SecureDnsMode::SECURE:
+      return network::mojom::SecureDnsMode::SECURE;
+  }
+  NOTREACHED();
+  return network::mojom::SecureDnsMode::OFF;
+}
+
+// static
+bool EnumTraits<network::mojom::SecureDnsMode, net::DnsConfig::SecureDnsMode>::
+    FromMojom(network::mojom::SecureDnsMode in,
+              net::DnsConfig::SecureDnsMode* out) {
+  switch (in) {
+    case network::mojom::SecureDnsMode::OFF:
+      *out = net::DnsConfig::SecureDnsMode::OFF;
+      return true;
+    case network::mojom::SecureDnsMode::AUTOMATIC:
+      *out = net::DnsConfig::SecureDnsMode::AUTOMATIC;
+      return true;
+    case network::mojom::SecureDnsMode::SECURE:
+      *out = net::DnsConfig::SecureDnsMode::SECURE;
+      return true;
+  }
+  return false;
+}
+
 }  // namespace mojo

services/network/public/cpp/host_resolver_mojom_traits.h

@@ -17,6 +17,7 @@
 #include "net/base/address_family.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
+#include "net/dns/dns_config.h"
 #include "net/dns/dns_config_overrides.h"
 #include "net/dns/dns_hosts.h"
 #include "net/dns/host_resolver.h"
@@ -105,6 +106,15 @@ struct EnumTraits<network::mojom::MdnsListenClient::UpdateType,
       net::HostResolver::MdnsListener::Delegate::UpdateType* output);
 };
 
+template <>
+struct EnumTraits<network::mojom::SecureDnsMode,
+                  net::DnsConfig::SecureDnsMode> {
+  static network::mojom::SecureDnsMode ToMojom(
+      net::DnsConfig::SecureDnsMode secure_dns_mode);
+  static bool FromMojom(network::mojom::SecureDnsMode in,
+                        net::DnsConfig::SecureDnsMode* out);
+};
+
 }  // namespace mojo
 
 #endif  // SERVICES_NETWORK_PUBLIC_CPP_HOST_RESOLVER_MOJOM_TRAITS_H_

services/network/public/mojom/host_resolver.mojom

@@ -40,6 +40,13 @@ enum OptionalSecureDnsMode {
   SECURE,
 };
 
+// This enum corresponds to DnsConfig::SecureDnsMode.
+enum SecureDnsMode {
+  OFF,
+  AUTOMATIC,
+  SECURE,
+};
+
 // Overridable DNS configuration values for host resolution. All fields default
 // to a non-overriding state where the relevant value will be used from system
 // DNS configuration.

services/network/public/mojom/network_service.mojom

@@ -324,19 +324,21 @@ interface NetworkService {
   // resolver.
   //
   // |dns_over_https_servers| is an optional list of DNS over HTTPS servers.
-  // When populated, all DNS lookups will try to use DNS over HTTPS in the order
-  // the servers are provided in and will only fall back to using system
-  // settings if DNS over HTTPS fails. It is illegal to have a populated
-  // |dns_over_https_servers| when |stub_resolver_enabled| is false.
+  // DnsTransactions will by default follow the behavior of |secure_dns_mode|.
+  // In SECURE mode, only DoH lookups will be performed. In AUTOMATIC mode,
+  // DoH lookups to available servers will be performed first, and insecure
+  // lookups will be used as a fallback. In OFF mode, only insecure lookups will
+  // be performed. When insecure lookups are performed, they will be sent by
+  // the async resolver first if |insecure_dns_client_enabled| is true and
+  // then by the system resolver as a fallback.
   //
   // DNS over HTTPS will use the primary NetworkContext, so can only be enabled
   // after the primary network context has been created. Other than that
   // limitation, this method can be called at any time to change DNS
   // configuration, though calling it will fail any DNS lookups that have
   // already been started.
-  //
-  // Both the stub resolver and DNS over HTTPS are disabled by default.
-  ConfigureStubHostResolver(bool stub_resolver_enabled,
+  ConfigureStubHostResolver(bool insecure_dns_client_enabled,
+                            SecureDnsMode secure_dns_mode,
                             array<DnsOverHttpsServer>? dns_over_https_servers);
 
   // Disables QUIC for the NetworkService. Affects all existing NetworkContexts,