Set Up DNS-over-QUIC (DoQ)

Next-generation encrypted DNS with QUIC

DNS-over-QUIC (RFC 9250) is the newest encrypted DNS protocol. It runs DNS over the QUIC transport — the same protocol powering HTTP/3 — instead of TCP. The result is faster connection setup, better handling of packet loss, and seamless network switches (e.g. moving from WiFi to cellular without reconnecting).

le_dns is one of the few public resolvers that support DoQ in production.

le_dns DoQ endpoint: quic://ledns.eu:8853

Why DoQ?

For mobile users who frequently switch networks, DoQ’s connection migration means queries keep flowing without renegotiating the connection.

dnscrypt-proxy

dnscrypt-proxy is the most widely supported DoQ client and runs on Linux, macOS, and Windows:

# macOS (Homebrew)
brew install dnscrypt-proxy

# Debian/Ubuntu
sudo apt install dnscrypt-proxy

Add le_dns as a static server in /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

server_names = ['ledns-doq']

[static]
  [static.ledns-doq]
  stamp = 'sdns://BAcAAAAAAAAAEzE1MS4xMTUuODAuMTY1Ojg4NTMLbGVkbnMuZXU'

Then set your system DNS to 127.0.0.1 and start the proxy:

sudo systemctl enable --now dnscrypt-proxy

q (CLI DNS client)

q is a modern DNS client that supports DoQ out of the box — great for testing:

# macOS (Homebrew)
brew install nicowillis/tools/q

# Or from source: https://github.com/natesales/q
q @quic://ledns.eu:8853 example.com A

A successful response confirms DoQ is working end-to-end.

kdig (Knot DNS)

kdig from the Knot DNS project supports DoQ with the +quic flag:

# macOS
brew install knot

# Debian/Ubuntu
sudo apt install knot-dnsutils

kdig @ledns.eu +quic example.com

Compatibility note

DoQ is a newer protocol and client support is still catching up. If your platform or router doesn’t support it yet, DoT and DoH offer equivalent privacy with broader support. All three protocols encrypt your queries end-to-end — DoQ just does it with lower overhead.

DoQ uses port 8853, which may be blocked by some firewalls. In that case, fall back to DoH on port 443.