Updated: 19 Apr 2024
Technitium DNS Server is a cross-platform, free, open source software that is easy to deploy and use yet pack powerful features. Starting with the version 11.0 release, the DNS server now supports DNS-over-QUIC encrypted DNS protocol in addition to existing DNS-over-TLS and DNS-over-HTTPS encrypted DNS protocols. With this update, you will be able to use DNS-over-QUIC protocol with a forwarder or connditional forwarder, or host your own DNS-over-QUIC service.
The DNS server has also added support for HTTP/3 for both its web console and DNS-over-HTTPS service. Since HTTP/3 also uses QUIC tranport protocol, the requirements and configuration mentioned in this post also applies to it.
Let's see how to configure the DNS server to use the new QUIC transport protocol.
Requirements
The DNS-over-QUIC protocol uses a very new QUIC transport protocol which is not yet available on all platforms. Currently it is available only on Windows and Linux platforms. The .NET Runtime relies on the msquic library which is an implementation of QUIC protocol by Microsoft.
For Windows
The support for QUIC on Windows is only available on following Windows versions:
- Windows 11 (build 22000 or later)
- Windows Server 2022
The above supported Windows version have msquic already installed and thus there is no additional installation needed. There is no option yet to use the QUIC protocol on Windows 10 or older versions. However, it is possible to use it on Windows 10 by using docker container deployments.
For Linux
On Linux, you need to install libmsquic to enable QUIC protocol support. You can install it using Microsoft Software Repository for Linux. You can follow the instructions given in the link to add the software repository on your distro as shown in examples below:
-
Ubuntu
source /etc/os-release wget https://packages.microsoft.com/config/$ID/$VERSION_ID/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb rm packages-microsoft-prod.deb sudo apt update
-
Debian / Raspberry Pi OS
wget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb rm packages-microsoft-prod.deb sudo apt update
Once you have the Microsoft Software Repository installed on your distro, you can proceed to install libmsquic library as shown below:
sudo apt install libmsquic -y
Now restart the DNS server so that it loads the newly installed libmsquic library. Once the DNS server is available, you can use the DNS-over-QUIC protocol with forwarder or conditional forwarder configuration, or with the DNS Client tab in the DNS server web console. If you wish to run your own DNS-over-QUIC service, you can enable it from the Settings > Optional Protocols section similar to how you would enable the other encrypted DNS protocols.
If you have enabled HTTPS and HTTP/3 options, and configured a TLS certificate for the DNS web console, the web service will enable HTTP/3 support which will be available on UDP port 443.
If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.
Will dns-over-quic work in the docker deployment? I tried switching to quic, but I get an error message saying that libmsquic and openssl have to be installed manually.
ReplyDeleteThe current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.
DeleteThats wonderful. Thank you!
DeleteOn 11.0 docker image, web management gives error if i want to set forwarder to a quic provider. Please check.
ReplyDeleteError! DNS-over-QUIC is supported only on Windows 11, Windows Server 2022, and Linux. On Linux, you must install 'libmsquic' and OpenSSL v1.1.1 manually.
The current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.
DeleteNew docker image is now available with libmsquic installed.
DeleteHello!
ReplyDeleteIs DNS over TLS faster (lower overall latency for the queries) than DNS over HTTPS on v11?
I've made some testing and noticed a ~1-2ms lower latency with DoT, but I want to know if any of them reutilizes the TLS session.
Also, thank you a lot for developing this software!
Thanks for asking. Its a bit complicated and depends upon the upstream server too.
DeleteDoT is native to most DNS servers since its just DNS-over-TCP wrapped with TLS and thus it supports pipelining of queries.
DoH performance depends on weather its using HTTP/1.1, HTTP/2, or HTTP/3. With HTTP/1.1 the performance will be less than DoT since queries cannot be pipelined, while with HTTP/2, it will be similar to DoT, and with HTTP/3 it will be similar to DoQ.
Overall, you will see similar performance for single query for all encrypted protocols but the performance will improve when you have multiple parallel queries over same protocol connection.
Hi the Raspberry Pi code is out of date. Can you plz update the post?
DeleteSure will update it.
DeleteHey Shreyas - do you have an updated version of the RaspberryPi code? Thanks.
DeleteWhich OS version you see when you run "cat /etc/os-release" on your Rasbberry PI?
DeleteYou got Debian 12 here so the commands given in the post will work.
DeleteNo - it is not working - see screenshot: http://cloud.photom.me/QPAoCGhh
DeleteTry these steps and see if that works:
Deletewget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
Thank you!
DeleteTried the above steps and was able to install "libmsquic" successfully. But however on selecting the DNS over QUIC Adguard servers from the Forwarders list in Settings -> Proxy & Forwarders , the internet stops working and everything shows are "Server Failure" in logs. Any idea what might be the reason ?
DeleteHave tried rebooting and reinstalling the whole setup twice now with same results.
Please share the error log entries here or over email to know what is the issue.
DeleteSame error using HTTP3 on Debian 12,
ReplyDeleteLog show:
[2024-07-31 00:10:07 Local] [192.168.244.250:51848] DnsServerCore.DnsWebServiceException: HTTP/3 is supported only on Windows 11, Windows Server 2022, and Linux. On Linux, you must install 'libmsquic' manually.
at DnsServerCore.DnsWebService.ValidateQuicSupport(String protocolName) in Z:\Technitium\Projects\DnsServer\DnsServerCore\DnsWebService.cs:line 917
at DnsServerCore.WebServiceSettingsApi.SetDnsSettings(HttpContext context) in Z:\Technitium\Projects\DnsServer\DnsServerCore\WebServiceSettingsApi.cs:line 790
at lambda_method136(Closure, Object, HttpContext)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at DnsServerCore.DnsWebService.WebServiceApiMiddleware(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
Thanks for the feedback. Have you installed libmsquic? If yes, what version does it show as installed when you run "apt list --all-versions libmsquic"?
DeleteI have libmsquic installed, this happened when I upgraded to debian 12.6.0.
DeleteOn debian 12.5 I have no problems enabling http3.
Thanks for the details. I have received similar feedback from other users. The fix for this is to downgrade libmsquic to v2.3.6. To do that run "apt install libmsquic=2.3.6" and restart the DNS server.
DeleteThanks for the help, libmsquic downgrade to 2.3.6 on debian 12.6 and now http3 is working.
Deletedns-user@DNS:~$ apt list --all-versions libmsquic
ReplyDeleteListing... Done
libmsquic/bookworm,now 2.4.0 amd64 [installed]
libmsquic/bookworm 2.3.6 amd64
libmsquic/bookworm 2.3.5 amd64
libmsquic/bookworm 2.3.4 amd64
libmsquic/bookworm 2.3.3 amd64
libmsquic/bookworm 2.3.2 amd64
libmsquic/bookworm 2.3.1 amd64
libmsquic/bookworm 2.3.0 amd64
libmsquic/bookworm 2.2.7 amd64
libmsquic/bookworm 2.2.6 amd64
libmsquic/bookworm 2.2.5 amd64
libmsquic/bookworm 2.2.4 amd64
libmsquic/bookworm 2.4.0 arm64
libmsquic/bookworm 2.3.6 arm64
libmsquic/bookworm 2.3.5 arm64
libmsquic/bookworm 2.3.4 arm64
libmsquic/bookworm 2.3.3 arm64
libmsquic/bookworm 2.3.2 arm64
libmsquic/bookworm 2.3.1 arm64
libmsquic/bookworm 2.3.0 arm64
libmsquic/bookworm 2.2.7 arm64
libmsquic/bookworm 2.2.6 arm64
libmsquic/bookworm 2.2.5 arm64
libmsquic/bookworm 2.2.4 arm64
libmsquic/bookworm 2.4.0 armhf
libmsquic/bookworm 2.3.6 armhf
libmsquic/bookworm 2.3.5 armhf
libmsquic/bookworm 2.3.4 armhf
libmsquic/bookworm 2.3.3 armhf
libmsquic/bookworm 2.3.2 armhf
libmsquic/bookworm 2.3.1 armhf
libmsquic/bookworm 2.3.0 armhf
libmsquic/bookworm 2.2.7 armhf
libmsquic/bookworm 2.2.6 armhf
libmsquic/bookworm 2.2.5 armhf
libmsquic/bookworm 2.2.4 armhf
Same issue, only on Ubuntu server 24.04
ReplyDeleteapt list --all-versions libmsquic
Listing... Done
libmsquic/noble,now 2.4.0 amd64 [installed]
libmsquic/noble 2.4.0 arm64
libmsquic/noble 2.4.0 armhf
DoQ does not work
This is an issue with libmsquic or .NET runtime. You can see more details here: https://github.com/dotnet/runtime/issues/105788#issuecomment-2263014898
DeleteOn Ubuntu Server 24.04 DoQ does not work
ReplyDeleteapt list --all-versions libmsquic
Listing... Done
libmsquic/noble,now 2.4.0 amd64 [installed]
libmsquic/noble 2.4.0 arm64
libmsquic/noble 2.4.0 armhf
This is an issue with libmsquic or .NET runtime. You can see more details here: https://github.com/dotnet/runtime/issues/105788#issuecomment-2263014898
DeleteThis was found to be a missing dependency issue for Ubuntu 24.04 and if you install those dependencies manually then libmsquic would work. To do that, run the following command to install those missing dependencies:
Deletesudo apt install -y libxdp1 libnl-3-dev libnl-route-3-dev
I have raspberry pi zero 2 W. Debian 12.
ReplyDeletelibmsquic 2.4.3. Also installed libxdp1 libnl-3-dev libnl-route-3-dev
But H3 or QUIC still does not work.
Also in Forwarders list if enter
url ([IPv6 address]:853)
after Save it become
url:853 ([IPv6 address])
Any ready QUIC option from preset corrects after save.
Thanks for the feedback. What error you get when you try to use QUIC or H3? Check the DNS Logs to see if there are any related to this and post them here.
DeleteRegarding the forwarder entry, since you are entering a URL and selecting a DNS protocol other than DNS-over-HTTPS, the entry gets converted internally to match the protocol and thus may get changed. But, it still remains equivalent and will work the same.
ServerFailure errors
DeleteI have native IPv6. IPv6 Prefer Support enabled. Any other Forwarder Protocol works fine. DoT too. But if change to force h3 or use quic sites stop working.
If test any domain via DNS Client and choose adguard quic - DnsClient failed to resolve the request 'domain name'. A IN': request timed out.
ServerFailure is generic error response. You need to check the DNS Logs from the admin web panel and find error log entry for it which will explain in detail what went wrong. Share that error log here so that I can understand the issue better.
DeleteThanks for the error log. The issue you have here is "request timed out" which means that the DNS server attempted to send request but there was no response received from the server. This could be caused by network issues like firewall or a middlebox that causes issue with QUIC protocol. You will need to debug your network with tools like Wireshark to find out the issue.
DeleteThis also means that there is no issue with libmsquic setup on your server and QUIC support is working as expected.
Thanks! I find https://quic.nginx.org/quic.html QUIC test and find what problem is RFW (aka GFW). My country try to block quic requests. They works and after some time stops response. After some time again works for some period of time.
DeleteMaybe some tweaks can be done in General DNS Server settings?
In that case, there is nothing you can do to fix it. Use DoH or DoT in that case.
DeleteLowering QUIC Max Inbound Streams in 4 times helps.
DeleteThat QUIC Max Inbound Streams option applies only for the DoQ server and does not apply for DoQ forwarders which you are using. Its just a co-incidence that you updated the setting and it started working.
DeleteYep. Working some time and again stop. I stop Technitium service, install AdGuard Home and write same QUIC dns forwarders. And they working fine around a day.
DeleteIt could be an issue with the libmsquic library too that the DNS server uses since this protocol is quite new and the library is not fully stable yet.
DeleteIs Adguard Home use another library?
DeleteYes mostly since libmsquic library is only used by apps that run on .NET runtime.
Deletehello, what is the proper way to connect with h3 for DNS-over-HTTPS? i assumed it would be over the same port set to https in the optional protocols section. https over tcp works on the port, and i have quic working on another port. i use adguard pro on ios to test connections. should i put https:// just like h2 and end with /dns-query? since these links are the same, does technitium just try to use the best protocol the client can use? or should i be using a different url to connect?
ReplyDeleteThanks for asking. To use DNS-over-HTTP/3 just use the "h3" scheme in your URL instead of "https" and it will work. No other change is settings is required.
Deletethanks! i was trying that, but i realized theres still a bug that i read up in the comments here, where libmsquic latest is causing issues with h3 on debian 12 point something or other? im on latest stable right now, and when i try to connect to h3 OR h2, it breaks tls connections for the rest of the session, until i restart the service, which instantly fixes it. but as soon as someone tries to connect to h3 or doh, it breaks tls. then, h3 continues to not work, but doh works like normal anyway. the weird part isnt h3 not working, but that i can connect to either h3 or h2 to break tls. and absolutely nothing shows up in the logs for any of these actions (except h2 working ofc). but, attempted h3 connections never log, nor do attempted tls connections log after it has been broken. really strange.
DeleteThanks for the feedback. I too have latest Debian 12 setup but I do not see such issues. Not sure what could be the reason since for QUIC protocol, it can be issue with network too since it uses UDP. There wont be an error logged when h3 upgrade fails and the client uses h2 instead which is normal.
Deleteis that with libmsquic 2.3.6 like mentioned earlier, or has that been fixed and you are using the latest libmsquic on latest debian stable, and you have all protocols working at once with just technitium? if so, i do not know how it is working. maybe because its a 2014 laptop, the nic drivers are not handling it appropriately? but, i can get adguard home working fully with exactly the same hardware in between (router, ports, devices intending to connect with the same software). ofc, if its the older libmsquic, i understand adguard home probably uses something else, and so it is not comparable.
Deletevery much appreciate your responses, i really want to get this working!
The latest libmsquic is working well, I have it deployed in multiple places. Issues with QUIC has been reported by few users but it seems like the issue is due to external network factors. Its still unclear though.
Deleteah, well, i had all kinds of things wrong until this last update. thank god for 13.1.1. everything is fixed and working great! really appreciate it.
Deletenever mind... now it seems quic itself is having "uptime" issues. everything else is working, though. quic runs for awhile and eventually just stops working. nothing in the logs about it, cant figure out what might be triggering it.
DeleteJust a couple of days back, I was able to reproduce the same issue with DoQ. The issue does not occur for everyone but can trigger once in a while needing to restart DNS server to make it work again. The fix is already tested and an update will be made available mostly coming weekend. So, keep an eye on the update and test it again with it to confirm if your issue is resolved.
DeleteDocker image still gives lib error for Quic..
ReplyDeleteThanks for the feedback. Which platform are you running docker on? ARM64, ARM32, x64? What error you see in the logs? Please post the full error log.
Deletetem algum video mostrando como ativar a pagiana de bloqueio ?
ReplyDeleteSe você está perguntando sobre o aplicativo Block Page, então não há vídeo/documentação disponível para ele. O aplicativo block page ou qualquer configuração similar também tem a limitação de que o usuário vê erros SSL/TLS quando você tenta mostrar a página de bloqueio quando o nome de domínio está bloqueado. Então não é realmente de muita utilidade, a menos que você precise tê-lo devido a regulamentações governamentais.
DeleteIf doing zone transfers over quic -- what are the requirements? Do you need to setup SSL certificates for both servers and enable quic under Optional Protocols? Does the quic implementation still run still run using tcp/upd ports 443 or a different port
ReplyDeleteThanks for asking. For XFR-over-QUIC, the primary DNS server must have DNS-over-QUIC enabled in Optional Protocols with a proper SSL cert configured. The secondary DNS server does not need to be configured with any Optional Protocol.
DeleteQUIC protocol works over UDP and DNS-over-QUIC uses standard UDP port 853.