Updated: 25 Mar 2023
Technitium DNS Server is a cross-platform, free, open source software that is easy to deploy and use yet pack powerful features. Starting with the version 11.0 release, the DNS server now supports DNS-over-QUIC encrypted DNS protocol in addition to existing DNS-over-TLS and DNS-over-HTTPS encrypted DNS protocols. With this update, you will be able to use DNS-over-QUIC protocol with a forwarder or connditional forwarder, or host your own DNS-over-QUIC service.
The DNS server has also added support for HTTP/3 for both its web console and DNS-over-HTTPS service. Since HTTP/3 also uses QUIC tranport protocol, the requirements and configuration mentioned in this post also applies to it.
Let's see how to configure the DNS server to use the new QUIC transport protocol.
Requirements
The DNS-over-QUIC protocol uses a very new QUIC transport protocol which is not yet available on all platforms. Currently it is available only on Windows and Linux platforms. The .NET Runtime relies on the msquic library which is an implementation of QUIC protocol by Microsoft.
For Windows
The support for QUIC on Windows is only available on following Windows versions:
- Windows 11 (build 22000 or later)
- Windows Server 2022
The above supported Windows version have msquic already installed and thus there is no additional installation needed. There is no option yet to use the QUIC protocol on Windows 10 or older versions. However, it is possible to use it on Windows 10 by using docker container deployments.
For Linux
On Linux, you need to install libmsquic to enable QUIC protocol support. You can install it using Microsoft Software Repository for Linux. You can follow the instructions given in the link to add the software repository on your distro as shown in examples below:
-
Ubuntu 22.04
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc sudo apt-add-repository https://packages.microsoft.com/ubuntu/22.04/prod sudo apt-get update
-
Raspberry Pi OS
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - sudo apt-add-repository https://packages.microsoft.com/debian/11/prod sudo apt-get update
Once you have the Microsoft Software Repository installed on your distro, you can proceed to install libmsquic. But libmsquic library requires openssl v1.1.1 to be installed and is currently not compatible with openssl v3.x release that is by default installed on some new distros like Ubuntu 22.04. You can check which openssl version you have installed by running the following command:
$ openssl version OpenSSL 1.1.1f 31 Mar 2020
If you see the output something like shown above then you are all set. Raspberry Pi OS has the version 1.1.1 installed so you do now have to worry about it. If you see version 3.x installed, you will need to install the version 1.1.1 for libmsquic to work.
To install openssl v1.1.1 on Ubuntu 22.04, follow the steps given below to install the pre-built binaries that are made available by Ubuntu:wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2.17_amd64.deb wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.1.1f-1ubuntu2.17_amd64.deb wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.17_amd64.deb sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2.17_amd64.deb sudo dpkg -i libssl-dev_1.1.1f-1ubuntu2.17_amd64.deb sudo dpkg -i openssl_1.1.1f-1ubuntu2.17_amd64.debNote! If the above specified binaries are not available, then you can just check the current version that is available from here and use the correct URL for the available version to run the above commands.
Once you have installed the above openssl binaries, run the openssl version command again to confirm that you have the correct version installed.
You can now proceed to install libmsquic library as shown below:
sudo apt-get update sudo apt-get install libmsquic -y
Now restart the DNS server so that it loads the newly installed libmsquic library. Once the DNS server is available, you can use the DNS-over-QUIC protocol with forwarder or conditional forwarder configuration, or with the DNS Client tab in the DNS server web console. If you wish to run your own DNS-over-QUIC service, you can enable it from the Settings > Optional Protocols section similar to how you would enable the other encrypted DNS protocols.
If you have enabled HTTPS and configured a TLS certificate for the DNS web console, the web service will now automatically enable HTTP/3 support which will be available on UDP port 443.
If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.
Will dns-over-quic work in the docker deployment? I tried switching to quic, but I get an error message saying that libmsquic and openssl have to be installed manually.
ReplyDeleteThe current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.
DeleteThats wonderful. Thank you!
DeleteOn 11.0 docker image, web management gives error if i want to set forwarder to a quic provider. Please check.
ReplyDeleteError! DNS-over-QUIC is supported only on Windows 11, Windows Server 2022, and Linux. On Linux, you must install 'libmsquic' and OpenSSL v1.1.1 manually.
The current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.
DeleteNew docker image is now available with libmsquic installed.
DeleteHello!
ReplyDeleteIs DNS over TLS faster (lower overall latency for the queries) than DNS over HTTPS on v11?
I've made some testing and noticed a ~1-2ms lower latency with DoT, but I want to know if any of them reutilizes the TLS session.
Also, thank you a lot for developing this software!
Thanks for asking. Its a bit complicated and depends upon the upstream server too.
DeleteDoT is native to most DNS servers since its just DNS-over-TCP wrapped with TLS and thus it supports pipelining of queries.
DoH performance depends on weather its using HTTP/1.1, HTTP/2, or HTTP/3. With HTTP/1.1 the performance will be less than DoT since queries cannot be pipelined, while with HTTP/2, it will be similar to DoT, and with HTTP/3 it will be similar to DoQ.
Overall, you will see similar performance for single query for all encrypted protocols but the performance will improve when you have multiple parallel queries over same protocol connection.