Sunday, February 19, 2023

Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server

Updated: 14 Jul 2023

Technitium DNS Server is a cross-platform, free, open source software that is easy to deploy and use yet pack powerful features. Starting with the version 11.0 release, the DNS server now supports DNS-over-QUIC encrypted DNS protocol in addition to existing DNS-over-TLS and DNS-over-HTTPS encrypted DNS protocols. With this update, you will be able to use DNS-over-QUIC protocol with a forwarder or connditional forwarder, or host your own DNS-over-QUIC service.

The DNS server has also added support for HTTP/3 for both its web console and DNS-over-HTTPS service. Since HTTP/3 also uses QUIC tranport protocol, the requirements and configuration mentioned in this post also applies to it.

Let's see how to configure the DNS server to use the new QUIC transport protocol.

Requirements

The DNS-over-QUIC protocol uses a very new QUIC transport protocol which is not yet available on all platforms. Currently it is available only on Windows and Linux platforms. The .NET Runtime relies on the msquic library which is an implementation of QUIC protocol by Microsoft.

For Windows

The support for QUIC on Windows is only available on following Windows versions:

  • Windows 11 (build 22000 or later)
  • Windows Server 2022

The above supported Windows version have msquic already installed and thus there is no additional installation needed. There is no option yet to use the QUIC protocol on Windows 10 or older versions. However, it is possible to use it on Windows 10 by using docker container deployments.

For Linux

On Linux, you need to install libmsquic to enable QUIC protocol support. You can install it using Microsoft Software Repository for Linux. You can follow the instructions given in the link to add the software repository on your distro as shown in examples below:

  • Ubuntu 22.04
    curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc
    sudo apt-add-repository https://packages.microsoft.com/ubuntu/22.04/prod
    sudo apt-get update
    
  • Raspberry Pi OS
    curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
    sudo apt-add-repository https://packages.microsoft.com/debian/12/prod
    sudo apt-get update
    

Once you have the Microsoft Software Repository installed on your distro, you can proceed to install libmsquic library as shown below:

sudo apt-get install libmsquic -y

Now restart the DNS server so that it loads the newly installed libmsquic library. Once the DNS server is available, you can use the DNS-over-QUIC protocol with forwarder or conditional forwarder configuration, or with the DNS Client tab in the DNS server web console. If you wish to run your own DNS-over-QUIC service, you can enable it from the Settings > Optional Protocols section similar to how you would enable the other encrypted DNS protocols.

If you have enabled HTTPS and HTTP/3 options, and configured a TLS certificate for the DNS web console, the web service will enable HTTP/3 support which will be available on UDP port 443.

If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.

10 comments:

  1. Will dns-over-quic work in the docker deployment? I tried switching to quic, but I get an error message saying that libmsquic and openssl have to be installed manually.

    ReplyDelete
    Replies
    1. The current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.

      Delete
    2. Thats wonderful. Thank you!

      Delete
  2. On 11.0 docker image, web management gives error if i want to set forwarder to a quic provider. Please check.

    Error! DNS-over-QUIC is supported only on Windows 11, Windows Server 2022, and Linux. On Linux, you must install 'libmsquic' and OpenSSL v1.1.1 manually.

    ReplyDelete
    Replies
    1. The current docker image that is available does not have libmsquic installed. A new docker image will be available by this weekend that will work for QUIC without any issues.

      Delete
    2. New docker image is now available with libmsquic installed.

      Delete
  3. Hello!
    Is DNS over TLS faster (lower overall latency for the queries) than DNS over HTTPS on v11?
    I've made some testing and noticed a ~1-2ms lower latency with DoT, but I want to know if any of them reutilizes the TLS session.
    Also, thank you a lot for developing this software!

    ReplyDelete
    Replies
    1. Thanks for asking. Its a bit complicated and depends upon the upstream server too.

      DoT is native to most DNS servers since its just DNS-over-TCP wrapped with TLS and thus it supports pipelining of queries.

      DoH performance depends on weather its using HTTP/1.1, HTTP/2, or HTTP/3. With HTTP/1.1 the performance will be less than DoT since queries cannot be pipelined, while with HTTP/2, it will be similar to DoT, and with HTTP/3 it will be similar to DoQ.

      Overall, you will see similar performance for single query for all encrypted protocols but the performance will improve when you have multiple parallel queries over same protocol connection.

      Delete
    2. Hi the Raspberry Pi code is out of date. Can you plz update the post?

      Delete