How DNS over QUIC (DoQ) Works: Encrypted DNS Without Head-of-Line Blocking

DNS over QUIC (DoQ) is a protocol standardized in RFC 9250 that transports DNS queries and responses over QUIC connections, combining the privacy benefits of encrypted DNS with the performance advantages of a modern transport protocol. Unlike DNS over TLS (DoT), which layers DNS on top of TCP and then TLS, DoQ uses QUIC's native integration of TLS 1.3 at the transport layer. This eliminates TCP's head-of-line blocking, reduces connection setup latency to a single round-trip (or zero round-trips on resumed connections), and enables connection migration when a client changes networks -- all while maintaining the same encryption guarantees as DoT and DNS over HTTPS (DoH).

Why DNS Needs a Better Transport

Traditional DNS uses UDP port 53, sending queries and responses as unencrypted datagrams. This is fast -- a single round-trip for most queries -- but completely exposed. Anyone on the network path can read, log, and modify DNS traffic. The encrypted DNS protocols that followed each solved the privacy problem but introduced transport-layer compromises:

DoQ addresses the transport-layer deficiencies by building directly on QUIC, which was designed from the ground up to solve exactly these problems. QUIC integrates TLS 1.3 into its handshake, multiplexes independent streams without head-of-line blocking, and identifies connections by a connection ID rather than by IP address and port -- enabling seamless migration between networks.

How DoQ Works: Protocol Mechanics

DoQ operates on UDP port 853 -- the same port number as DoT, but over UDP instead of TCP. This reuse is deliberate: it allows network operators to apply the same firewall policies to both encrypted DNS protocols. The client connects to a DoQ-capable resolver, performs a QUIC handshake (which includes TLS 1.3 negotiation in the same flight), and then sends DNS queries on individual QUIC streams.

Each DNS query-response pair gets its own QUIC stream. The client opens a new bidirectional stream, sends the DNS query as the stream's payload, and the server responds on the same stream before closing it. Because QUIC streams are independent at the transport layer, packet loss affecting one stream does not block any other stream. Five concurrent DNS queries can complete independently, even if one encounters retransmission delays.

The DNS wire format used in DoQ is identical to the standard format defined in RFC 1035 -- the same binary encoding used for plaintext DNS, DoT, and DoH. Unlike DoT over TCP (which requires a two-byte length prefix per message), DoQ does not need length framing because each stream carries exactly one query-response exchange, and QUIC handles message boundaries natively through its stream abstraction.

DNS over QUIC Connection Flow (UDP Port 853) DoQ Client DoQ Resolver QUIC + TLS 1.3 Initial: ClientHello + QUIC transport params ServerHello + Certificate + Finished + handshake done Finished (connection established in 1-RTT) 1-RTT Encrypted -- Independent QUIC Streams Stream 0 DNS Query: A example.com DNS Response: 93.184.216.34 Stream 2 DNS Query: AAAA example.com DNS Response: 2606:2800:220:1:... Stream 4 DNS Query: MX example.com DNS Response: mail.example.com Packet loss on Stream 2 does NOT block Streams 0 or 4 Resumed connection: 0-RTT query sent with ClientHello

0-RTT: DNS Queries Before the Handshake Completes

QUIC supports 0-RTT (zero round-trip time) connection resumption. When a client has previously connected to a DoQ resolver and cached session tickets, it can send DNS queries in the very first packet of a new connection -- alongside the ClientHello. The resolver can process and respond to these queries before the handshake finishes, reducing the latency of the first query on a resumed connection to effectively zero additional round-trips beyond the query itself.

This is a significant advantage over DoT and DoH. With DoT, even TLS 1.3 session resumption requires one full round-trip before early data can be sent, and the early data mechanism (TLS 0-RTT) has limited support in DNS implementations due to replay concerns. With DoQ, 0-RTT is a first-class feature of the transport protocol, and QUIC provides built-in replay protection mechanisms that make it safer to use.

However, 0-RTT data is inherently vulnerable to replay attacks. An attacker who captures a 0-RTT DNS query packet can resend it to the resolver and receive the same response. For DNS, this is a limited risk -- the attacker learns the DNS answer for a query they already observed -- but RFC 9250 requires servers to implement replay mitigation. Practical approaches include tracking recently seen 0-RTT data or limiting 0-RTT to queries that are safe to replay (which describes most DNS lookups, since they are idempotent).

Stream Multiplexing and Head-of-Line Blocking

The most important technical advantage of DoQ over DoT is the elimination of head-of-line (HoL) blocking. This deserves detailed explanation because it has real performance implications for DNS resolution.

With DoT, a client that sends five DNS queries over a single TCP connection is sending them as a sequential byte stream. If the TCP segment carrying the second query's response is lost, the operating system's TCP stack will not deliver any subsequent data to the application until that segment is retransmitted and received. Queries 3, 4, and 5 may have their responses sitting in the kernel's receive buffer, fully arrived, but the application cannot read them. All five queries are coupled by the TCP byte stream.

DoQ eliminates this coupling. Each query-response pair uses a separate QUIC stream, and QUIC streams are independent at the transport layer. If the packet carrying the response to query 2 is lost, only stream 2 is stalled. Streams 0, 4, 6, and 8 (QUIC uses even-numbered client-initiated bidirectional streams) continue to deliver data to the application without delay. The resolver's responses to queries 3, 4, and 5 are delivered immediately, even while query 2 waits for retransmission.

On reliable, low-latency connections, this difference is marginal. But on mobile networks, satellite links, or congested paths where packet loss rates reach 1-5%, the difference is substantial. A stub resolver sending a burst of queries at the start of a page load (A, AAAA, MX, TXT records for multiple domains) benefits significantly from independent stream delivery.

Connection Migration

TCP connections are identified by a 4-tuple: source IP, source port, destination IP, destination port. If any of these change -- a mobile device switching from Wi-Fi to cellular, a NAT rebinding after an idle period, a VPN reconnecting -- the TCP connection breaks. The DoT or DoH client must establish a new connection, pay the full handshake cost again, and retry any in-flight queries.

QUIC identifies connections using a connection ID rather than the network 4-tuple. When a client's IP address changes, it can continue using the same QUIC connection by presenting its connection ID. The handshake state, encryption keys, and any pending queries carry over seamlessly. For a mobile user walking between Wi-Fi access points or transitioning between Wi-Fi and cellular, DNS resolution continues without interruption.

This is particularly valuable for DNS because DNS resolution is latency-critical. A broken DNS connection during a network transition can stall every subsequent network request until a new connection is established. With DoQ, the transition is invisible to the application layer.

Padding and Traffic Analysis Protection

Encrypted DNS protocols protect the content of queries from on-path observers, but they can still leak information through message sizes. DNS queries and responses have characteristic lengths -- a query for a.co produces a much shorter packet than one for very-long-subdomain.internal.corp.example.com. An observer performing traffic analysis can correlate message sizes, timing, and direction to infer which domains are being resolved, even without decrypting the traffic.

RFC 9250 addresses this with explicit padding requirements. DoQ implementations should pad DNS messages to reduce the information leaked through size correlation. The recommended approach follows the same strategy as RFC 8467: block-length padding, where queries are padded to the next multiple of a fixed block size (typically 128 bytes). This reduces the number of distinguishable message sizes from thousands to a small set, making traffic analysis significantly harder.

QUIC also provides additional padding capabilities at the transport layer. QUIC PADDING frames can be inserted into any packet, and QUIC's encryption makes it impossible for observers to distinguish padding from payload. DoQ implementations can leverage both DNS-level padding (EDNS0 padding option) and QUIC-level padding for defense in depth against traffic analysis.

Connection Coalescing

QUIC supports connection coalescing -- the ability to reuse a single QUIC connection for multiple purposes if the server's certificate covers multiple names. In the DoQ context, a resolver that serves multiple resolver identities (for example, a provider offering both a standard resolver and a malware-filtering resolver under different hostnames) can potentially serve both over a single QUIC connection if the certificate presented during the handshake is valid for both names.

Connection coalescing reduces the total number of connections a client needs to maintain and avoids duplicate handshake costs. However, its applicability to DoQ is more limited than to HTTP/3, where coalescing across different web origins is common. Most DoQ clients connect to a single resolver identity, so the benefit is primarily for multi-tenant resolver deployments.

DoQ vs. DoT vs. DoH: A Detailed Comparison

The three major encrypted DNS protocols each make different tradeoffs across performance, privacy, deployability, and network policy. Understanding these tradeoffs is essential for choosing the right protocol for a given deployment scenario.

Encrypted DNS: DoQ vs. DoT vs. DoH Dimension DoQ (RFC 9250) DoT (RFC 7858) DoH (RFC 8484) Port 853/UDP 853/TCP 443/TCP Transport QUIC (TLS 1.3) TCP + TLS 1.2/1.3 TCP + TLS + HTTP/2 First Query 1 RTT (0-RTT resume) 2-3 RTT 2-3 RTT HoL Blocking None Yes (TCP) Yes (TCP) Conn Migration Yes (QUIC CID) No No Blockability Easy (block 853/UDP) Easy (block 853/TCP) Hard (same as HTTPS) Overhead Minimal (QUIC frames) Low (length prefix) Higher (HTTP headers) RFC Year 2022 2016 2018 Deployment Early (AdGuard, etc.) Wide (Android, etc.) Wide (browsers) Best For Performance-sensitive, mobile, next-gen infra OS-level resolvers, enterprise networks Censorship resistance, browser integration

Latency

DoQ's latency advantage is most pronounced on the first query of a new connection. DoT and DoH both require a TCP handshake (1 RTT) followed by a TLS handshake (1 RTT with TLS 1.3), totaling 2 RTTs before the first query can be sent. DoQ's QUIC handshake combines transport and cryptographic setup into a single round-trip, so the first query completes in 1 RTT. On a resumed connection with cached session state, DoQ can achieve 0-RTT -- the query is sent in the first packet alongside the ClientHello.

For subsequent queries on an established connection, all three protocols perform similarly: approximately 1 RTT for query and response. The latency difference matters most for short-lived connections, cold starts (first DNS lookup after boot or network change), and scenarios with frequent reconnections (mobile devices, intermittent connectivity).

Privacy

All three protocols provide equivalent encryption strength -- they all use TLS 1.3 (DoQ mandates it; DoT and DoH support both TLS 1.2 and 1.3). The privacy differences lie elsewhere:

Deployability

DoH has the strongest deployability story because it uses port 443, which is already universally permitted through firewalls. DoT and DoQ both use port 853, which may be blocked by enterprise firewalls, ISPs, or state censors. DoQ faces an additional challenge: some networks block or rate-limit UDP traffic on non-standard ports, and QUIC's use of UDP can trigger UDP-specific middlebox interference.

Enterprise networks that want to enforce DNS policy generally prefer DoT over DoH because port 853 is easy to manage with firewall rules. DoQ shares this property -- it is easy to allow or block at the network level. DoH's resistance to blocking is a feature for individual privacy but a challenge for organizations that need to maintain DNS-based security controls.

Zone Transfer over QUIC (XoQ)

RFC 9250 defines not only stub-to-recursive DNS queries but also opens the door for DNS zone transfers over QUIC. Traditional zone transfers (AXFR and IXFR) use TCP because zone data can be large -- a full zone transfer for a major domain might be megabytes. Running zone transfers over QUIC provides the same benefits as DoQ for regular queries: encryption of the transfer data, reduced latency for connection setup, and independent stream multiplexing.

Zone Transfer over QUIC (XoQ) is particularly interesting for authoritative DNS operators. Zone data contains the complete record set for a domain and is a valuable target for reconnaissance. Encrypting zone transfers prevents passive observers from seeing the contents of zone updates as they propagate between primary and secondary nameservers. While TSIG (Transaction Signature) has long provided authentication and integrity for zone transfers, it does not encrypt the data in transit.

XoQ uses the same QUIC connection semantics as DoQ. Each zone transfer operation can use its own QUIC stream, and multiple concurrent transfers (for different zones or incremental updates) can proceed in parallel without head-of-line blocking. For authoritative server operators managing thousands of zones, this parallelism can significantly reduce the time required to propagate zone updates across a distributed nameserver infrastructure.

Implementation and Adoption

DoQ adoption is still in its early stages compared to DoT and DoH, but it is growing as QUIC libraries mature and resolver software adds support.

Resolver Support

Client Support

Server Software

UDP Blocking and Fallback

One practical challenge for DoQ deployment is that some networks aggressively filter or rate-limit UDP traffic. Enterprise firewalls, hotel captive portals, and cellular carriers may block UDP on port 853 while allowing TCP on the same port. Since DoT uses TCP/853, it often works in environments where DoQ does not.

RFC 9250 does not specify a mandatory fallback behavior, but practical implementations typically follow a preference order: try DoQ first, fall back to DoT if UDP/853 is blocked, and potentially fall back further to DoH over port 443 if TCP/853 is also blocked. This cascading fallback ensures that DNS encryption is maintained even in restrictive network environments, at the cost of additional connection setup time when fallback is needed.

The UDP blocking problem is not unique to DoQ -- it affects QUIC-based HTTP/3 as well. Browsers have developed sophisticated fallback logic (sometimes called "happy eyeballs" for QUIC) that races a QUIC connection attempt against a TCP connection and uses whichever succeeds first. DoQ clients may adopt similar strategies, racing DoQ and DoT connection attempts in parallel and committing to whichever handshake completes first.

Security Considerations

DoQ inherits QUIC's security properties, which are built on TLS 1.3. Several security aspects are specific to DoQ:

The Future of DoQ

DoQ's trajectory depends on several factors that are still unfolding:

In the near term, DoQ is most likely to see adoption in privacy-focused applications (ad blockers, VPN clients, dedicated DNS tools) and by technically sophisticated users who configure their own resolvers. Broad consumer deployment awaits OS vendor support, which will likely follow the same pattern as DoT and DoH: years of standardization and experimentation followed by a platform vendor announcement that drives rapid adoption.

DoQ in the Context of Internet Architecture

DNS over QUIC is part of a larger trend of migrating internet infrastructure protocols from unencrypted, decades-old transports to modern, encrypted ones. DNS queries, BGP route announcements, NTP time synchronization -- these foundational protocols were designed when the internet was a trusted research network, and their plaintext nature has become a liability as the internet has grown to carry sensitive personal and commercial traffic.

The encrypted DNS stack -- whether DoT, DoH, or DoQ -- protects the content of DNS queries from on-path observers. But the routes that carry that encrypted traffic are themselves determined by BGP, which announces reachability information across the global internet. An observer may not be able to read your DoQ queries, but they can see that you are connecting to 1.1.1.1 or 8.8.8.8 by examining the IP packets. The BGP routing table determines which autonomous systems your encrypted DNS traffic traverses on its way to the resolver.

Explore DNS Resolver Infrastructure

Use the god.ad BGP Looking Glass to examine the network infrastructure behind major DoQ-capable resolvers. Look up Cloudflare's 1.1.1.1 to see how AS13335's anycast network provides low-latency paths to their resolver from anywhere on the internet. Examine Google's 8.8.8.8 via AS15169 to understand their resolver's BGP connectivity. Trace the routes to Quad9's 9.9.9.9 to see how a non-profit resolver distributes its infrastructure globally. The routes to these resolvers are the physical paths that your encrypted DNS queries -- whether DoQ, DoT, or DoH -- actually traverse.

See BGP routing data in real time

Open Looking Glass
More Articles
How DNS Load Balancing Works: From Round-Robin to Global Server Load Balancing
How DNS over TLS (DoT) Works: Encrypting DNS on Port 853
What is BGP? The Internet's Routing Protocol Explained
What is an Autonomous System (AS)?
What is a BGP Looking Glass?
How to Look Up an IP Address's BGP Route