DNS over QUIC (DoQ) Explained
A modern encrypted DNS transport designed for speed, security and reliability.
A modern encrypted DNS transport designed for speed, security and reliability.
DNS over QUIC (DoQ) is an encrypted DNS transport protocol defined in RFC 9250 that uses the QUIC protocol to protect DNS queries and responses. QUIC is a modern transport protocol originally developed for HTTP/3 and designed to provide faster connection establishment and improved network efficiency.
Traditional DNS queries are transmitted in clear text using UDP port 53. This allows network observers to monitor DNS requests and determine which domains users are accessing.
DoQ solves this problem by encrypting DNS traffic using the TLS 1.3 security mechanisms built into QUIC. The result is a secure and low-latency DNS transport that improves both privacy and performance.
Unlike DNS over TLS, which relies on TCP connections, DoQ uses the QUIC transport protocol running over UDP.
QUIC allows clients and resolvers to establish encrypted connections with fewer round-trip exchanges, reducing the time required to perform DNS lookups.
QUIC also supports multiplexing multiple DNS queries over a single encrypted connection, improving efficiency for modern applications that generate many DNS requests.
Some modern DNS tools support DNS over QUIC queries.
For example, the kdig utility from Knot DNS can test DoQ-enabled resolvers.
kdig @1.1.1.1 example.com +quic
This sends a DNS query using the QUIC protocol instead of traditional UDP or TCP transport.
Encrypted DNS protocols are becoming increasingly important for protecting user privacy and preventing network-level DNS manipulation.
While DNS over TLS and DNS over HTTPS already provide encrypted DNS transport, DoQ offers additional performance improvements by eliminating TCP handshake delays and reducing connection overhead.