Ad-blocker AdGuard deploys world’s first DNS-over-QUIC resolver


DNS-over-QUIC, or DoQ, is viewed as a superior, faster, and more private version of the DNS protocol, even DoH and DoT.

Ad-blocker company AdGuard has deployed on Wednesday the world’s first-ever DNS-over-QUIC (DoQ) resolver into a production environment as a neighborhood of the company’s Android and iOS applications.

AdGuard’s DoQ resolver will work by resolving its users’ DNS queries (converting website URLs into IP addresses) using the new QUIC data transfer protocol.


Today, by default, DNS queries are resolved via the standard UDP protocol.

The problem is that UDP traffic isn’t encrypted and is out there in clear text to any network observer, making it easy for ISPs to trace even encrypted HTTPS traffic by watching the DNS queries proceeding those connections.

This weakness has been known for an extended time and is what led to the creation and current proliferation of DNS alternative protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).

However, both DoH and DoT have their own drawbacks. DoH merely hides DNS inside HTTPS, while DoT adds TLS support to DNS, a cumbersome process for both DNS servers and app makers.

DoQ is currently viewed because the way forward for DNS encryption because it doesn’t bother with playing tricks with adjacent technologies within the “application layer” of the online protocol suite.

Building competitive advantage in your organisation through tape

Instead, it replaces the old UDP with the newer QUIC, a layer below DNS, as its underlying technology, effectively giving DNS an upgrade to modern technology.


QUIC could also be a replacement “data transport” protocol that started as a project at Google to develop an alternate to the aging and slower TCP protocol, which currently underpins most internet traffic today, in conjunction with UDP.

Google’s first decide to develop a TCP alternative was the SPDY protocol. SPDY was considered successful at the time and was eventually broadly adopted because the “data transport” layer for the HTTP/2 web protocol.

QUIC is an evolution of SPDY that comes with more speed, better packet transfer reliability, but also with built-in support for (TLS) encryption. Like SPDY, QUIC’s implementation inside HTTP and HTTPS, mentioned as HTTP-over-QUIC was formally adopted to become the upcoming HTTP/3 protocol.

DoQ could also be an identical effort to exchange UDP with QUIC inside DNS’s underbelly and make DNS faster and safer than it’s today.

The protocol is currently only a working draft at the online Engineering Task Force (IETF), but AdGuard says there is no reason to attend to start out experimenting and providing this better and more private version of the DNS protocol to its users.

Because DoQ’s encryption support is implemented in QUIC rather than HTTP, DoQ is currently considered more private than DoH, because it doesn’t generate artifacts specific to HTTP/HTTPS connections, that might be used for tracking, AdGuard argued.

The only downside specific to DoQ is that an equivalent downside specific to classic DNS, DoH, and DoT resolvers — namely that the server owner knows who is performing the queries.

Apple, Cloudflare, and Fastly attempt to repair this issue via the Oblivious DoH standard, by adding a proxy between the user and thus the DoH resolver.

“Something like ‘Oblivious DoQ’ could even be implemented within the longer term when DoQ is finally out of the draft stage,” Andrey Meshkov, AdGuard CEO, told ZDNet yesterday in an email.




Please enter your comment!
Please enter your name here