DNS over QUIC (DoQ)
What is DNS over QUIC (DoQ)?
DNS over QUIC (DoQ)A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
DNS over QUIC (DoQ), standardized as RFC 9250 in May 2022, is a third privacy-preserving DNS transport alongside DoT (RFC 7858, 2016) and DoH (RFC 8484, 2018). DoQ multiplexes DNS queries over a single QUIC connection, using QUIC's 1-RTT or 0-RTT handshake and its built-in TLS 1.3 encryption. Compared to DoT, DoQ avoids head-of-line blocking by carrying each DNS query in a separate QUIC stream; compared to DoH, it avoids HTTP/2 framing overhead and stays closer to the wire-format DNS that operators are used to. Connection migration (QUIC's ability to survive a client IP change) makes DoQ particularly attractive for mobile clients. Adoption is still mixed — Android resolvers, AdGuard DNS, NextDNS, and several enterprise resolvers support DoQ — but it is part of the broader move to encrypt all DNS traffic. From a security perspective DoQ provides the same confidentiality/integrity properties as DoT/DoH: protects DNS metadata from on-path observers, defeats DNS-injection by ISPs or rogue networks, and pairs with DNSSEC for end-to-end integrity.
● Examples
- 01
An Android 11+ device uses DoQ to its configured Private DNS resolver, benefiting from 0-RTT lookups on already-known servers.
- 02
A privacy-focused resolver such as AdGuard or NextDNS publishes a DoT, DoH, and DoQ endpoint, letting clients pick whichever transport their OS supports.
● Frequently asked questions
What is DNS over QUIC (DoQ)?
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC. It belongs to the Network Security category of cybersecurity.
What does DNS over QUIC (DoQ) mean?
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
How does DNS over QUIC (DoQ) work?
DNS over QUIC (DoQ), standardized as RFC 9250 in May 2022, is a third privacy-preserving DNS transport alongside DoT (RFC 7858, 2016) and DoH (RFC 8484, 2018). DoQ multiplexes DNS queries over a single QUIC connection, using QUIC's 1-RTT or 0-RTT handshake and its built-in TLS 1.3 encryption. Compared to DoT, DoQ avoids head-of-line blocking by carrying each DNS query in a separate QUIC stream; compared to DoH, it avoids HTTP/2 framing overhead and stays closer to the wire-format DNS that operators are used to. Connection migration (QUIC's ability to survive a client IP change) makes DoQ particularly attractive for mobile clients. Adoption is still mixed — Android resolvers, AdGuard DNS, NextDNS, and several enterprise resolvers support DoQ — but it is part of the broader move to encrypt all DNS traffic. From a security perspective DoQ provides the same confidentiality/integrity properties as DoT/DoH: protects DNS metadata from on-path observers, defeats DNS-injection by ISPs or rogue networks, and pairs with DNSSEC for end-to-end integrity.
How do you defend against DNS over QUIC (DoQ)?
Defences for DNS over QUIC (DoQ) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS over QUIC (DoQ)?
Common alternative names include: DoQ, RFC 9250.
● Related terms
- network-security№ 374
DNS over HTTPS (DoH)
A protocol that encrypts DNS queries by transporting them inside HTTPS, preventing on-path observers from reading or modifying lookups.
- network-security№ 376
DNS over TLS (DoT)
A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire.
- network-security№ 841
Oblivious HTTP (OHTTP)
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
- network-security№ 555
HTTP/3 / QUIC
HTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking.
- network-security№ 380
DNSSEC
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
- network-security№ 1279
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.