DNS over QUIC (DoQ)
DNS over QUIC (DoQ) 是什么?
DNS over QUIC (DoQ)A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
DNS over QUIC (DoQ), standardized as RFC 9250 in May 2022, is a third privacy-preserving DNS transport alongside DoT (RFC 7858, 2016) and DoH (RFC 8484, 2018). DoQ multiplexes DNS queries over a single QUIC connection, using QUIC's 1-RTT or 0-RTT handshake and its built-in TLS 1.3 encryption. Compared to DoT, DoQ avoids head-of-line blocking by carrying each DNS query in a separate QUIC stream; compared to DoH, it avoids HTTP/2 framing overhead and stays closer to the wire-format DNS that operators are used to. Connection migration (QUIC's ability to survive a client IP change) makes DoQ particularly attractive for mobile clients. Adoption is still mixed — Android resolvers, AdGuard DNS, NextDNS, and several enterprise resolvers support DoQ — but it is part of the broader move to encrypt all DNS traffic. From a security perspective DoQ provides the same confidentiality/integrity properties as DoT/DoH: protects DNS metadata from on-path observers, defeats DNS-injection by ISPs or rogue networks, and pairs with DNSSEC for end-to-end integrity.
● 示例
- 01
An Android 11+ device uses DoQ to its configured Private DNS resolver, benefiting from 0-RTT lookups on already-known servers.
- 02
A privacy-focused resolver such as AdGuard or NextDNS publishes a DoT, DoH, and DoQ endpoint, letting clients pick whichever transport their OS supports.
● 常见问题
DNS over QUIC (DoQ) 是什么?
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC. 它属于网络安全的 网络安全 分类。
DNS over QUIC (DoQ) 是什么意思?
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
DNS over QUIC (DoQ) 是如何工作的?
DNS over QUIC (DoQ), standardized as RFC 9250 in May 2022, is a third privacy-preserving DNS transport alongside DoT (RFC 7858, 2016) and DoH (RFC 8484, 2018). DoQ multiplexes DNS queries over a single QUIC connection, using QUIC's 1-RTT or 0-RTT handshake and its built-in TLS 1.3 encryption. Compared to DoT, DoQ avoids head-of-line blocking by carrying each DNS query in a separate QUIC stream; compared to DoH, it avoids HTTP/2 framing overhead and stays closer to the wire-format DNS that operators are used to. Connection migration (QUIC's ability to survive a client IP change) makes DoQ particularly attractive for mobile clients. Adoption is still mixed — Android resolvers, AdGuard DNS, NextDNS, and several enterprise resolvers support DoQ — but it is part of the broader move to encrypt all DNS traffic. From a security perspective DoQ provides the same confidentiality/integrity properties as DoT/DoH: protects DNS metadata from on-path observers, defeats DNS-injection by ISPs or rogue networks, and pairs with DNSSEC for end-to-end integrity.
如何防御 DNS over QUIC (DoQ)?
针对 DNS over QUIC (DoQ) 的防御通常结合技术控制与运营实践,详见上方完整定义。
DNS over QUIC (DoQ) 还有哪些其他名称?
常见的别称包括: DoQ, RFC 9250。
● 相关术语
- network-security№ 374
DNS over HTTPS (DoH)
通过将 DNS 查询封装在 HTTPS 中传输的协议,可防止路径上的观察者读取或篡改查询。
- network-security№ 376
DNS over TLS (DoT)
在专用 TLS 会话中加密 DNS 查询的协议,防止其在网络上被窃听或篡改。
- network-security№ 841
Oblivious HTTP (OHTTP)
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
- network-security№ 555
HTTP/3 / QUIC
HTTP/3(RFC 9114)是 HTTP 在 QUIC(RFC 9000)之上的映射,QUIC 是基于 UDP 的加密传输协议,内置 TLS 1.3 并按流多路复用,无队头阻塞。
- network-security№ 380
DNSSEC
一组 DNS 扩展,通过数字签名使解析器能够验证 DNS 记录的真实性和完整性。
- network-security№ 1279
TLS(传输层安全)
由 IETF 标准化的加密协议,为两个联网应用之间的通信提供机密性、完整性与认证。