DNS-over-QUIC becomes the proposed standard: Why it’s good news for your privacy

DNS-over-QUIC, abbreviated as DoQ, became a proposed standard last month. He did it with little fanfare, but it’s an occasion worth celebrating.

Adguard 1

(Image credit: Adguard)

In mid-May, DoQ was published as an RFC (Request for Comments, a document that describes protocols, methods, programs, or online research applicable to the Internet), received number 9250, and has since been treated as a proposed standard. .

The protocol took five years to develop, and it won’t become a full-fledged Internet standard overnight. However, the industry has warmed up enough to DoQ to start implementing it already, as it is far superior to existing trial and trust protocols.

Without getting into the technical details right off the bat, let’s just say that DoQ, thanks to being a relatively new kid on the block, is much better equipped to handle the challenges of the digital age. While previous transport layer network protocols did an outstanding job of transmitting data under near perfect conditions of stable broadband connection, they failed once you entered the desert of 4G, LTE and mobile data.


Before we dive into the intricacies of QUIC, and therefore DoQ, let’s dig deeper into how the Internet works, starting with DNS. DNS (opens in a new tab) or the Domain Name System is the “address book” or dictionary of the internet. Machines don’t understand human-readable domain names, eg yahoo.com, so they have to send a special request to a DNS resolver to translate human gibberish into a machine-readable IP address. (opens in a new tab) for them.

In a nutshell: it’s a DNS resolver that facilitates human-computer interaction by converting a domain name you type into a search bar into an IP address and returning it to your device.

Before QUIC

QUIC did not appear out of the blue, rather it was the shortcomings of its predecessors that paved the way for its creation. The TCP transport layer protocol has been used primarily on the web for the past few years, if not decades. Other protocols – SSL, TLS and HTTP – worked on top.

TCP does its job well, but has several drawbacks, and head-of-line blocking (HOL blocking) is one of them.

The problem with TCP is that data packets are transmitted in batches. When your browser sends a group of packets to request a connection, the server responds with its own group of packets, acknowledging receipt. These packets are grouped in a specific order. Newer data packets cannot be processed until older ones are.

Adguard 2

(Image credit: Adguard)

This means that if one of the response packets is lost due to the weak connection, the others will have to wait in line until the lost packet is resent, hoping it gets through this time. This can significantly slow down the speed of traffic, and as the demand for uninterrupted internet connectivity across different networks grew, so did the need for a new, faster and more reliable solution. That’s when QUIC came into the picture.


QUIC is a transport layer network protocol built on top of UDP, which transmits data packets between servers or between a server and a client. It lives up to its name by getting things done faster than its established analogues.

First, this is because QUIC provides security features, like encryption (opens in a new tab) and authentication, from the transport protocol itself. These features are usually performed by a higher level protocol, such as TLS. A typical handshake you get consists of two round trips: first, a TCP connection is established, then the TLS layer encrypts the connection. With QUIC, the number of round trips is reduced to one.

Adguard 3

(Image credit: Adguard)

Second, unlike its predecessors which process requests by queue, the QUIC implementation allows data to be processed in no specific order. If, for example, your Internet connection fails and the first data packet is lost due to a poor signal, the remaining packets will be processed without delay.

Thus, the first data packet will not block the queue – and the problem of blocking at the head of the line will be eliminated.

Adguard 4

(Image credit: Adguard)

QUIC also solves the inherent problem of the extremely fast pace of life. We are constantly on the move and on the internet: in the morning we connect to the router at home to scan the latest news, once we leave the house to go to work our phone switches from Wi-Fi to 4G and must reconnect to website and DNS servers (opens in a new tab)and when we finally get to the office, our smartphone (opens in a new tab) must connect to office Wi-Fi.

Older protocols could barely jump through all those hoops and obstacles, but QUIC can. When QUIC is used, your phone will survive the transition from one IP address to another, an event called “Connection Migration”, without inconveniencing you as a user.

We should note that no one has implemented “login migration” yet, but judging by how it’s described in the standard, we expect someone to rise to the challenge of becoming a pioneer, sooner rather than later. or late.

Why DNS-over-QUIC is the future

In short, DNS-over-QUIC is a DNS protocol that uses the QUIC transport layer protocol to transmit DNS queries. Its goal is to provide maximum privacy (opens in a new tab) with minimum latency.

With DNS-over-QUIC implemented, the connection is established much faster than with DNS-over-TLS(DoT). In addition to better speed and lower packet loss rate, QUIC also offers more encryption options. This allows DoQ to compare favorably to DNS-over-HTTPS (DoH).

Since DoH was not originally designed as a transport layer protocol, it does not offer robust privacy protections. Using HTTP to forward DNS queries leads to HTTP cookies, other HTTP headers (Authentication, User-Agent, Accept-Language) that convey specific information about the user, giving attackers more options tracking and fingerprinting.

These issues could be handled client-side at the DoH level, but it’s nearly impossible to have a custom solution for all clients, including browsers. (opens in a new tab), operating systems and all kinds of software. So while DoH may also support QUIC at some point with the future deployment of the HTTP/3 protocol, the future is yet to come and the inherent flaws in its design will continue to haunt it.

In addition, compared to previous versions of the project, the final version allows using DoQ not only for recursive DNS servers, but also for authoritative ones. Authoritative DNS servers provide recursive DNS servers with answers about where to find a particular website (opens in a new tab). Do you remember that dictionary or the internet analogy address book?

Authoritative DNS servers have the dictionary in their possession, while recursive DNS servers require authoritative servers to take a look before sending (the information to the computer that requested it. Thus, implementing DoQ will not only encrypt traffic coming from the client (your computer or phone) to the recursive server, but also all DNS traffic in general.

DoQ Deployments So Far

DoQ hasn’t been around that long, and it makes sense that so far only a few DNS resolvers have started implementing and deploying it. 1,217 resolvers verified by DoQ at the end of January, noting a steady growth in their number since last year. According to the document, nearly half (45.19%) of DoQ-verified resolvers are operated in Asia, while the EU accounts for just over 32% and North America 17.8% of the total number.

AdGuard DNS became the first public resolver to support the new DoQ protocol in December 2020. It now offers DoQ support on its Android and iOS mobile apps, as well as all of its Windows and Mac desktop apps. Additionally, AdGuard customers can set up their own DoQ server with AdGuard Home, an open-source, network-wide software to block ads and trackers in home networks.

NextDNS is another resolver that already uses DoQ in production systems. As of January this year, nextDNS was operating 199 DoQ verified resolvers across 6 continents and 66 countries.

There have also been several implementations of DoQ: Quicdoc, written in C and based on Picoquic; aioquic, library for the QUIC network protocol in Python, and Flamethrower, a DNS tool for functional testing written in C++. AdGuard also offers DoQ support for its DNS proxy, DNS library, and DNS lookup tool.

Put your website online with the best web hosting.

Previous Three Tips for Improving DNS Integrity
Next TON Foundation launches Ethereum Name Service-like domain names