DNS over QUIC (DoQ).

A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC. Es gehört zur Kategorie Netzwerksicherheit der Cybersicherheit.

A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.

DNS over QUIC (DoQ), standardized as RFC 9250 in May 2022, is a third privacy-preserving DNS transport alongside DoT (RFC 7858, 2016) and DoH (RFC 8484, 2018). DoQ multiplexes DNS queries over a single QUIC connection, using QUIC's 1-RTT or 0-RTT handshake and its built-in TLS 1.3 encryption. Compared to DoT, DoQ avoids head-of-line blocking by carrying each DNS query in a separate QUIC stream; compared to DoH, it avoids HTTP/2 framing overhead and stays closer to the wire-format DNS that operators are used to. Connection migration (QUIC's ability to survive a client IP change) makes DoQ particularly attractive for mobile clients. Adoption is still mixed — Android resolvers, AdGuard DNS, NextDNS, and several enterprise resolvers support DoQ — but it is part of the broader move to encrypt all DNS traffic. From a security perspective DoQ provides the same confidentiality/integrity properties as DoT/DoH: protects DNS metadata from on-path observers, defeats DNS-injection by ISPs or rogue networks, and pairs with DNSSEC for end-to-end integrity.

Schutzmaßnahmen gegen DNS over QUIC (DoQ) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: DoQ, RFC 9250.