dns over quic protocol explained in detail

DNS over QUIC protocol is a game-changer for internet security. It provides end-to-end encryption for DNS traffic, protecting users from eavesdropping and tampering.

QUIC stands for Quick UDP Internet Connections, a transport-layer protocol developed by Google. It's designed to be faster and more secure than traditional TCP/IP.

By encrypting DNS traffic, DNS over QUIC prevents malicious actors from intercepting and manipulating DNS queries. This is particularly important for sensitive information like login credentials and financial data.

The protocol also reduces latency and improves overall performance, making it a win-win for users and network administrators alike.

Expand your knowledge: Internet Scale

DNS Over QUIC is a protocol that uses the QUIC protocol to encrypt and protect DNS traffic. It's a generic protocol that can be used by a wide variety of application protocols.

The standardisation of DNS over QUIC, also known as DoQ, is an example of this, and it's been standardised in RFC 9250.

A unique perspective: Dns over Quic Server

DNS over QUIC has the same basic purpose as DNS over HTTPS and DNS over TLS, which is to safeguard the confidentiality of DNS traffic.

DoQ's key benefit is that it restores much of the speed that DNS traffic had prior to the introduction of DNSSEC and fully UDP-based transport encryption.

AdGuard launched the first DoQ public resolver in 2020.

AdGuard has been particularly proactive in implementing DoQ, incorporating it into their public DNS service, Home resolver, and apps/plugins eighteen months ago. However, they had DoT enabled by default, resulting in only 1 percent of inbound traffic using DoQ.

AdGuard intends to soon enable DoQ by default now that standardisation is complete. Unfortunately, their use of the Go programming language for most of its software means that their implementations are unlikely to be widely used by others.

NextDNS is another DNS server that already supports DoQ, with their name servers recently upgraded to the definitive DoQ standard.

A fresh viewpoint: Dns Adguard Com Android

Native mapping is a key aspect of DoQ's functionality. It allows for secure DNS communication between various components, such as stub and recursive resolvers, recursive resolvers and authoritative name servers, and name servers for zone transfers.

DoQ's native mapping is similar to DoH over HTTP/3, but the authors of the RFC argue that it's more efficient and justified on grounds of protecting the end user's privacy.

The protocol involves sending individual DNS queries over separate data streams using an established TLS connection, which prevents HOL blocking of DNS responses that can occur with DoT/DoH.

DoQ uses the familiar UDP port number 853, just like DoT. The mapping of DNS on QUIC, as described in the RFC, is a straightforward process.

Readers also liked: What Are Dns Resolvers

AdGuard has been particularly proactive in implementing DoQ, incorporating it into their public DNS service, Home resolver, and apps/plugins eighteen months ago. However, they had DoT enabled by default during development, which resulted in only 1 percent of inbound traffic using DoQ.

AdGuard plans to soon enable DoQ by default now that standardization is complete. Their use of the Go programming language for most of their software means that their implementations are unlikely to be widely used by others.

NextDNS is another DNS server that already supports DoQ, with their name servers recently upgraded to the definitive DoQ standard.

The first step in incorporating DoQ into the PowerDNS server software will be to add outbound DoQ support to the dnsdist load balancer, which operates in front of the PowerDNS server in most cases. This will happen this autumn as part of Google's Summer of Code.

Inbound DoQ support for dnsdist and Recursor will be enabled later, with developers dependent on implementation in the nghttp/ngtcp2 library, which will soon replace the h2o library on PowerDNS servers.

NLnet Labs are currently working to add DoQ support to the Unbound resolver.

Suggestion: Does Azure Dns Support Dnssec

Unbound listens on the DoQ UDP port for traffic by default, but you can configure it to listen on a specific port number, such as 2853, in the server section of unbound.conf.

For another approach, see: Dns Protocol Port

You can also configure multiple interfaces to receive DoQ traffic by specifying the port number, like ::1@2853. If an interface receives both DoQ and TCP traffic, you can combine them by setting the port numbers.

Unbound needs a TLS certificate for DoQ, which can be configured with tls-service-key and tls-service-pem. The resource consumption can be configured with quic-size, such as 8m, to turn away more queries.

On a similar theme: DNS Hosting Service

The test tool implementation in Unbound can be compiled from the source directory with a simple command.

You can start Unbound attached to the console for debugging purposes with the command ./unbound -d -c theconfig.conf, which allows you to exit with Ctrl-C or a term signal.

To send a query with the test tool, use the command ./doqclient -s 127.0.0.1 -p 2853 www.example.com, assuming the server is listening to doq queries on port 2853.

The test tool can be made more verbose by adding the -v option, which prints more diagnostics.

To get more information from the server, you can set configuration for a log file and verbosity 4 or more, which also prints internal information from libngtcp2 for the doq transport.

To configure Unbound for DoQ, you need to set it to listen on the DoQ UDP port for traffic. This is done in the server: section of the unbound.conf file.

You can specify the port number, such as 2853, which is used for test purposes. This means you can test DoQ traffic on this port without affecting other DNS traffic.

It's also possible to configure multiple interfaces with the same port number, like ::1@2853, to receive DoQ traffic. This allows you to combine DoQ traffic with other types of DNS traffic, such as DNS TCP, DNS-over-TLS, or DNS-over-HTTP, by setting the port numbers.

To enable DoQ traffic on multiple interfaces, you need to specify the port number and interface address, like ::1@2853. This will configure the interface to receive DoQ traffic.

Unbound also needs a TLS certificate for DoQ, which can be configured using the tls-service-key and tls-service-pem options. This is necessary for DoQ traffic to work securely.

You can configure the resource consumption for DoQ traffic by setting the quic-size option, such as quic-size:8m. This will determine how many queries are turned away due to resource constraints.

Expand your knowledge: DNS over TLS

The num.query.quic statistic outputs the number of QUIC queries in the statistics. This is a key metric to keep an eye on, especially if you're running a high-traffic DoQ connection.

The mem.quic statistic is another important metric that shows memory used. This can help you identify potential memory leaks or issues with your DoQ setup.

To get the most out of these metrics, you can use a modern command-line DNS client like dig, written in Golang. This will give you a detailed view of your DoQ connection's performance.

DNS over QUIC (DoQ) offers a significant boost in security and performance compared to traditional DNS protocols. It encrypts DNS traffic, making it virtually impossible for anyone to intercept and see what websites you visit.

One of the key benefits of DoQ is that it restores much of the speed that DNS traffic had prior to the introduction of DNSSEC and fully UDP-based transport encryption. This is a major improvement over DNS over UDP, which was vulnerable to IP address spoofing and amplification attacks.

Expand your knowledge: Dns Udp Protocol

DoQ's use of the QUIC protocol also provides more encryption options and is designed to solve the problem of "head-of-line-blocking", making it more reliable in networks with high packet loss rates.

Here are the main advantages of DoQ:

DNS-over-QUIC encrypts DNS traffic, so nobody can see what websites you visit.

This means your browsing activities remain private, and you have an added layer of security.

The QUIC protocol is designed to solve the problem of "head-of-line-blocking", making it better suited for networks with high packet loss rates, like mobile data in elevators or tunnels.

This is especially important for people who use public Wi-Fi or mobile networks.

Here are the main advantages of DNS-over-QUIC:

The faster connection establishment with DNS-over-QUIC is especially useful when switching between Wi-Fi and mobile networks, like when you're leaving home.

QUIC uses UDP for data packet transport, allowing for a more efficient and streamlined connection.

This is a significant departure from traditional protocols, which often rely on TCP. By leveraging UDP, QUIC can take advantage of its speed and efficiency.

A single TLS handshake is required for all combined data streams in QUIC, eliminating the need for multiple handshakes.

This streamlined approach enables faster and more secure connections, which is especially important for applications that require high-speed data transfer.

By combining the HTTP/2 protocol with TLS version 1.3 and QUIC, you get HTTP/3, the latest version of HTTP that's gaining traction.

Related reading: Dns over Https vs Tls

The team behind DNS-over-QUIC has made significant progress, allowing the protocol to be used not only for recursive DNS servers but also for authoritative ones.

This evolution of the standard opens up new possibilities, making it possible to encrypt all DNS traffic in the long term.

With DNS-over-QUIC, you can now encrypt traffic from your client to the recursive server, just like with DNS-over-HTTPS, but with the added benefit of covering situations where the unencrypted protocol was previously used.

Team Nlnet Labs is a group that has been working on implementing DNS-over-QUIC (DoQ) in Unbound.

The Unbound implementation of DNS-over-QUIC is designed to enable immediate handling of queries received over the UDP socket where the QUIC protocol is attached, once the DoQ handshakes have completed.

They used the ngtcp2 library to provide QUIC support, as OpenSSL didn't have it at the time of implementation.

The ngtcp2 library allows for different cryptography support backends, which implement the TLS used inside the QUIC connection for encryption.

This means that Unbound already uses OpenSSL for crypto, but ngtcp2 uses a modified OpenSSL library for its crypto functions, not the main codebase or QUIC routines.

The ngtcp2 library and the modified OpenSSL it uses are not available from package repositories, making them harder to install compared to OpenSSL.

The standard has evolved significantly over time. DNS-over-QUIC can now be used for both recursive and authoritative DNS servers.

This expansion of capabilities will have a major impact on the way we use DNS. In the long term, all DNS traffic can be encrypted, making it more secure.

With the addition of authoritative DNS servers, DNS-over-QUIC is becoming a more comprehensive protocol. It can now fully cover situations where the unencrypted protocol was previously used.

AdGuard is all about embracing the latest technology, and that's why they're excited about DNS-over-QUIC (DoQ).

AdGuard DNS now fully supports DoQ, and the "draft" versions will still be supported as well. This means you can enjoy the benefits of DoQ with your AdGuard DNS setup.

AdGuard Home has already adopted the new standard, making it a great option for those looking to try out DoQ.

All of AdGuard's apps will switch to the standard, and the "experimental" mark will be removed from the interface. This will make it easier to use DoQ with AdGuard.

Here are some of the benefits of DoQ that AdGuard is excited about:

AdGuard is also making its DNS code public in the near future, which will allow developers to incorporate DoQ into their own apps.