Login
Menu
What is DNS over QUIC (DoQ)? – GreenCloud

What is DNS over QUIC (DoQ)? – GreenCloud

We are pleased to announce that DNS over QUIC, a very promising protocol, has become a proposed standard. We believe that DNS over QUIC is better than other popular alternatives (DNS over HTTPS, DNS over TLS) and has the potential to completely replace legacy unencrypted DNS protocols.

What is DNS over QUIC (DoQ)?

DNS over QUIC is a protocol that aims to improve the privacy and security of Domain Name System (DNS) lookups by transporting DNS queries and responses over the QUIC transport protocol instead of traditional UDP or TCP.

Overview of the QUIC Protocol

If you look at the QUIC protocol, you’ll find that you can trace its origins back to Google, who originally developed it as an experiment to power internet communications. Since then, the Internet Engineering Task Force (IETF) has been working to standardize QUIC to make it widely available and interoperable.

Compared to traditional protocols such as TCP and UDP, QUIC offers several advantages, such as faster connection times, built-in encryption, and improved reliability. However, there are several drawbacks and limitations to consider, such as the increased complexity of the protocol and its potential impact on the network infrastructure.

Connection migration is a key feature of QUIC that allows you to seamlessly move connections between IP addresses without losing data or breaking connectivity. This is especially useful when your device is switching between networks, such as switching from Wi-Fi to mobile data.

Another important feature is 0-RTT connection establishment, which significantly reduces the time needed to establish a secure connection.

QUIC also uses stream multiplexing, which allows simultaneous requests to be processed without blocking each other, further increasing its efficiency.

Finally, built-in encryption provided by TLS 1.3 ensures that your data remains secure and private in transit.

What are the security advantages of DNS over QUIC?

Encryption and privacy are at the fore in DNS over QUIC. DoQ’s default use of TLS 1.3 ensures that your DNS requests are encrypted, protecting your data from eavesdropping and spoofing. This level of security is essential to protect your privacy and protect your online activities.

Along with encryption, DoQ helps mitigate common DNS attacks. Its resilience against Distributed Denial of Service (DDoS) attacks comes from the fact that QUIC requires clients to prove their IP address ownership before fully establishing a connection, preventing attackers from flooding servers with fake requests.

In addition, DoQ reduces the risk of amplification attacks because the connection-oriented nature of QUIC prevents attackers from using DNS servers to amplify and reflect attack traffic.

Finally, DoQ prevents cache poisoning, a technique in which attackers manipulate DNS data to redirect users to malicious websites, by providing encryption and authentication of DNS data.

Why DNS will come over QUIC

A connection to a DNS application over QUIC is faster than DNS over TLS (DoT). Along with better speed and lower packet loss rate, QUIC also offers more encryption options. This allows DoQ to compare favorably with DNS over HTTPS (DoH).

Because DoH was not originally designed as a transport layer protocol, it does not offer robust privacy protection. Using HTTP to transmit DNS queries leads to HTTP cookies and other HTTP headers (Authentication, User-Agent, Accept-Language) that convey specific information about the user, giving malware more opportunities for tracking and fingerprinting.

These issues can be resolved at the client-side DoH level, but it is virtually impossible to have a custom solution for all clients, including browsers, operating systems, and all types of software. So while the DoH may support QUIC at some point thanks to the future deployment of the HTTP/3 protocol, the future is still ahead and the flaws inherent in its design will continue to haunt it.

In addition, compared to previous versions of the project, the latest version allows you to use DoQ not only for recursive DNS servers, but also for authoritative servers. Authoritative DNS servers provide answers to recursive DNS servers about where to find a particular website. Remember that dictionary or address book of the Internet analogy?

Authoritative DNS servers have a dictionary, while recursive DNS servers ask the authoritative servers to look it up (to the computer requesting the information) before sending it. client (your computer or phone) to the recursive server, but also to all DNS traffic in general.

The result

In conclusion, DNS over QUIC has the potential to significantly improve the security and performance of your online experience. The various benefits of DoQ include its encryption and privacy features, as well as its ability to mitigate common DNS attacks. Performance improvements are also significant, providing reduced latency, connection migration and resiliency.

About the Author
Gary Belcher
Gary Belcher is an accomplished Data Scientist with a background in computer science from MIT. With a keen focus on data analysis, machine learning, and predictive modeling, Gary excels at transforming raw data into actionable insights. His expertise spans across various industries, where he leverages advanced algorithms and statistical methods to solve complex problems. Passionate about innovation and data-driven decision-making, Gary frequently contributes his knowledge through insightful articles and industry talks.