What is DNS over QUIC (DoQ)?
We’re happy to announce that DNS over QUIC, a very promising protocol, has become a proposed standard. We believe that DNS over QUIC is better than other popular alternatives (DNS over HTTPS, DNS over TLS) and has the potential to completely replace old unencrypted DNS protocols.
What is DNS over QUIC (DoQ)?
DNS over QUIC is a protocol that aims to improve the privacy and security of Domain Name System (DNS) lookups by transporting DNS queries and responses over the QUIC transport protocol instead of traditional UDP or TCP.
An overview of the QUIC Protocol
Diving into the QUIC protocol, you’ll find that its origins can be traced back to Google, which initially developed it as an experiment to enhance internet communication. Since then, the Internet Engineering Task Force (IETF) has been working on standardizing QUIC to make it widely accessible and interoperable.
Compared to traditional protocols like TCP and UDP, QUIC offers several advantages, such as faster connection times, built-in encryption, and improved reliability. However, there are a few drawbacks and limitations to consider, such as the increased complexity of the protocol and its potential impact on network infrastructure.
Connection migration is a key feature of QUIC, which allows connections to be seamlessly moved between IP addresses without losing data or breaking the connection. This is particularly useful in situations where your device switches between networks, such as moving from Wi-Fi to mobile data.
Another essential feature is 0-RTT connection establishment, which significantly reduces the time it takes to set up a secure connection.
QUIC also utilizes stream multiplexing, enabling simultaneous requests to be processed without blocking each other, further enhancing its efficiency.
Lastly, the built-in encryption provided by TLS 1.3 ensures that your data remains secure and private during transmission.
What are the security benefits of DNS over QUIC?
Encryption and privacy are at the forefront of DNS over QUIC. DoQ’s default use of TLS 1.3 ensures that your DNS queries are encrypted, protecting your data from eavesdropping and tampering. This level of security is essential in maintaining your privacy and safeguarding your online activities.
In addition to encryption, DoQ helps mitigate common DNS attacks. Its resilience against Distributed Denial of Service (DDoS) attacks comes from the fact that QUIC requires clients to prove their IP address ownership before fully establishing a connection, preventing attackers from overwhelming servers with fake requests.
Furthermore, DoQ reduces the risk of amplification attacks, as QUIC’s connection-oriented nature prevents attackers from using DNS servers to amplify and reflect their attack traffic.
Lastly, DoQ helps prevent cache poisoning, a technique where attackers manipulate DNS data to redirect users to malicious websites, by ensuring that DNS data is encrypted and authenticated.
Why DNS over QUIC is the future
With DNS over QUIC implemented, the connection is established much faster than with DNS over TLS (DoT). In addition to better speed and a lesser packet loss rate, QUIC also offers more encryption options. This allows DoQ to compare favorably with DNS over HTTPS (DoH).
Since DoH was not originally designed as a transport layer protocol, it does not offer robust privacy protections. Using HTTP to transfer DNS requests leads to HTTP cookies, and other HTTP headers (Authentication, User-Agent, Accept-Language) that convey specific information about the user, giving malefactors more opportunities for tracking and fingerprinting.
These issues could be dealt with on the client side at the DoH level, but it’s virtually impossible to have a custom solution for all the clients, including browsers, operating systems, and all kinds of software. So while DoH will also be able to support QUIC at one point thanks to the future deployment of HTTP/3 protocol, the future is still to come and the flaws inherent to its design will continue to haunt it.
Moreover, compared to the earlier versions of the draft, the final version allows for DoQ to be used not only for recursive DNS servers but also for authoritative ones. Authoritative DNS servers provide recursive DNS servers with answers about where to find a particular website. Remember that dictionary or the address book of the Internet analogy?
Authoritative DNS servers have the dictionary in their possession, while recursive DNS servers ask authoritative servers to have a look before sending (the information to the computer that requested it. Thus, the implementation of DoQ will make it possible to encrypt not only the traffic from the client (your computer or phone) to the recursive server but also all DNS traffic in general.
Conclusion
In conclusion, DNS over QUIC has the potential to significantly enhance the security and performance of your online experience. The various benefits of DoQ are many, including its encryption and privacy features, as well as its ability to mitigate common DNS attacks. The performance enhancements are also significant, providing reduced latency, connection migration, and resilience.