Ad-blocker company AdGuard has deployed on Wednesday the world’s first-ever DNS-over-QUIC (DoQ) resolver into a production environment as part of the company’s Android and iOS applications.
AdGuard’s DoQ resolver will work by resolving its users’ DNS queries (converting website URLs into IP addresses) using the new QUIC data transfer protocol.
DoQ replaces UDP with QUIC inside DNS’ underbelly
Today, by default, DNS queries are resolved via the standard UDP protocol.
The problem is that UDP traffic is not encrypted and is available in clear text to any network observer, making it easy for ISPs to track even encrypted HTTPS traffic by looking at the DNS queries proceeding those connections.
This weakness has been known for a long time and is what led to the creation and current proliferation of DNS alternative protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).
However, both DoH and DoT have their own drawbacks. DoH merely hides DNS inside HTTPS, while DoT adds TLS support to DNS, a cumbersome process for both DNS servers and app makers.
DoQ is currently viewed as the future of DNS encryption because it doesn’t bother with playing tricks with adjacent technologies in the “application layer” of the internet protocol suite.
Instead, it replaces the old UDP with the newer QUIC, a layer below DNS, as its underlying technology, effectively giving DNS an upgrade to modern technology.
What is QUIC
QUIC is a new “data transport” protocol that started as a project at Google to develop an alternative to the aging and slower TCP protocol, which currently underpins most internet traffic today, together with UDP.
Google’s first attempt to develop a TCP alternative was the SPDY protocol. SPDY was considered a success at the time and was eventually broadly adopted as the “data transport” layer for the HTTP/2 web protocol.
QUIC is an evolution of SPDY that comes with more speed, better packet transfer reliability, but also with built-in support for (TLS) encryption. Like SPDY, QUIC’s implementation inside HTTP and HTTPS, known as HTTP-over-QUIC was formally adopted to become the upcoming HTTP/3 protocol.
DoQ is a similar effort to replace UDP with QUIC inside DNS’s underbelly and make DNS faster and more secure than it is today.
The protocol is currently only a working draft at the Internet Engineering Task Force (IETF), but AdGuard says there is no reason to wait to start experimenting and providing this better and more private version of the DNS protocol to its users.
Because DoQ’s encryption support is implemented in QUIC rather than HTTP, DoQ is currently considered more private than DoH, as it doesn’t generate artifacts specific to HTTP/HTTPS connections, that could be used for tracking, AdGuard argued.
The only downside specific to DoQ is the same downside specific to classic DNS, DoH, and DoT resolvers — namely that the server owner knows who is performing the queries.
Apple, Cloudflare, and Fastly are trying to fix this issue via the Oblivious DoH standard, by adding a proxy between the user and the DoH resolver.
“Something like ‘Oblivious DoQ’ may be implemented in the future when DoQ is finally out of the draft stage,” Andrey Meshkov, AdGuard CEO, told ZDNet yesterday in an email.
AdGuard Android and iOs users can test the new DoQ protocol in their apps starting this week. Instructions on how to enable DoQ inside the apps are available in AdGuard’s blog post here.