DNS over QUIC (DoQ): What is it and how does it work?

What is DNS over QUIC protocol?

In very basic terms, DNS over QUIC protocol is the transport protocol for securely sending DNS queries. DNS queries are part of the DNS protocol which converts text (website URLs) to domain IP addresses (or numbers), to find and return the webpages to you via the internet browser. In other words, without DNS you wouldn’t be able to access any website with its domain name.

QUIC protocol stands for “Quick UDP (user datagram protocol) internet connections,” and is a transport mechanism originally developed by Google in 2012 and standardized by the IETF in 2021. It strengthens the DNS protocol’s safety and improves its speed by combining connection and encryption processes simultaneously. That’s why the DNS over QUIC protocol outperforms its predecessors (protocols such as DNS over HTTPS or DNS over TCP) by providing faster and more secure connections for web users.

How does DoQ work

DoQ works behind the scenes, so visually it doesn’t look like anything for the end user. However, to better understand how the protocol works, we can try and visualize this process.

If your browser uses DNS over TLS (DoT) or DNS over HTTPS (DoH) protocols, the process takes additional steps compared to DNS over QUIC. That is because DNS over TLS protocol first has to establish the connection between the computer and the server and then use TLS protocol to encrypt the traffic. Meanwhile, the DoQ protocol combines the connection setup and encryption steps in one go, reducing the time it takes to connect to the server. Here’s how it works:

1. The user initiates a request. A person using the browser types in the URL (e.g., example.com) in their browser and presses “Enter.” The browser now needs to resolve this domain name into an IP address to load the website.
2. The browser sends a DNS query to the DoQ resolver. The operating system’s DNS client sends the DNS query to a DoQ-enabled resolver. A QUIC connection is established during this step, ensuring the query is encrypted and protected from IP address spoofing or DNS hijacking.
3. The resolver checks its cache. The resolver looks into its cache to see if it already has the IP address for the requested domain name. If found, it immediately sends the cached IP address back to the browser, skipping further steps.
4. The resolver queries the DNS system (if not cached). If the IP address is not in the cache, the resolver queries upstream DNS servers. It starts by contacting the root server to determine which top-level domain (TLD) server (e.g., .com, .org) handles the domain. The TLD server then directs the query to the appropriate authoritative nameserver.
5. Authoritative nameserver resolves the query. The authoritative server provides the IP address corresponding to the domain name and sends it back to the resolver.
6. The resolver sends the IP address back to the browser. The DoQ resolver receives the IP address and sends it back to the device’s DNS client over the encrypted QUIC connection.
7. The browser uses the IP address to load the website. The browser connects to the web server at the resolved IP address (e.g., 93.184.216.34), retrieves the website’s content, and displays it for the user.

Additionally, if the browser needs to resolve multiple domain names, it can send multiple queries over the same QUIC connection without waiting for previous DNS responses, thanks to QUIC’s capabilities. If any data packets are lost during transmission, QUIC’s built-in error correction can retransmit them without requiring a full restart of the connection.

Benefits of using DNS over QUIC

The benefits of using DNS over QUIC mostly revolve around its enhanced security and connectivity capabilities. However, compared to DoT and DoH protocols, in addition to these perks, DoQ usually also provides:

• Faster connection setup. QUIC reduces the number of round trips required to establish a secure connection, making it faster than other protocols.
• Resilience to data packet loss. Thanks to its properties, DoQ can handle minor network issues better than other DNS, meaning less buffering and fewer annoying loading wheels.
• Better performance for mobile networks. DoQ is also well-suited for mobile connections, allowing switching from Wi-Fi to cellular data without the need to refresh the connection.
• Reduced latency. Compared to traditional TCP-based DNS protocols, QUIC’s design minimizes connection overhead, making DNS queries faster.
• Resistance to traffic blocking. Due to QUIC’s UDP protocol, which is less commonly blocked by firewalls, DoQ can bypass restrictions that would typically hinder traditional DNS protocols, tipping the scales of the TCP vs. UDP debate in the UDP direction.
• Smaller attack surface. DoQ encrypted connection prevents attackers from easily targeting and exploiting vulnerabilities in DNS queries. That reduces the user’s attack surface, improving DNS security and making it safer for people to browse online.

IMPORTANT: DoQ protocol is usually faster and more secure than DoT and DoH. However, compared to simple DNS, DoQ lacks speed (while maintaining enhanced security).

Implementation of DoQ

You can implement DoQ in at least a few different ways. For example, you can change your internet settings to use a public DNS provider, like Google, which supports DoQ. That would require opening your internet settings and changing the primary DNS to 8.8.8.8 (Google’s DNS).

Or, better yet, you can reconfigure or set up a DoQ-friendly router (or DNS server) at home, to handle all your internet traffic securely for every device on your network. Some internet browsers are also already implementing DoQ in their settings, to ensure faster and more secure internet connection.

FAQ

Is DNS over QUIC good?

Yes, DNS over QUIC is the most advanced DNS security protocol available to web users. It provides faster connections (compared to other DNS protocols) and improved safety, safeguarding users from unwanted DNS address monitoring and interception.

Should I use DNS over QUIC?

Yes, you should use DNS over QUIC protocol if you want to enjoy faster and safer DNS resolution. DNS over QUIC will improve connection setup times, reduce latency, and provide a smoother browsing experience.

Is DNS over QUIC the same as DNS over HTTP/3?

No, DNS over QUIC is not the same as DNS over HTTP/3. While the HTTP/3 protocol runs on QUIC, both protocols use different ports and have different objectives. DoQ is focused solely on DNS tasks, while DoH3 encapsulates DNS queries within HTTP/3 requests and is more integrated into the web traffic along with protocols such as HTTP/2.

What is the default port for DNS over QUIC?

The default port for DNS over QUIC (DoQ) is 853, the same as for DNS over TLS (DoT). Both protocols are designed for secure DNS communication, ensuring privacy and encryption during DNS queries.