Knot Resolver vs Blocky vs DNSCrypt-Proxy: Self-Hosted DNS-over-QUIC Guide 2026

DNS-over-QUIC (DoQ) is the newest encrypted DNS protocol, standardized in RFC 9250 in 2022. It combines the privacy benefits of DNS encryption with the performance advantages of the QUIC transport protocol — delivering faster, more reliable DNS resolution than traditional DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

In this guide, we compare four leading open-source tools that support DNS-over-QUIC for self-hosted deployments: Knot Resolver, Blocky, DNSCrypt-Proxy, and Stubby. Whether you’re running a home lab or a production DNS infrastructure, you’ll find the right DoQ solution here.

For related reading, see our DNS-over-TLS resolver comparison and complete DNS privacy guide.

Why DNS-over-QUIC Matters for Self-Hosted DNS

Traditional DNS queries travel in plaintext, making them vulnerable to eavesdropping, manipulation, and censorship. Encrypted DNS protocols solve this problem:

DoQ’s advantages over DoT and DoH:

• Faster connection establishment — QUIC eliminates the TCP+TLS handshake round trips, reducing DNS query latency by 20-40%
• No head-of-line blocking — Unlike TCP-based protocols, a lost packet doesn’t stall all subsequent queries
• Connection migration — QUIC connections survive IP changes (useful for mobile and roaming clients)
• Built-in encryption — TLS 1.3 is mandatory in QUIC, no unencrypted fallback
• UDP-based — Avoids TCP connection overhead and middlebox interference

For self-hosted setups, DoQ means your DNS infrastructure gets the fastest encrypted transport available while maintaining full control over your resolver configuration and privacy.

Tool Comparison Overview

Quick recommendation:

• Knot Resolver — Best for running a full authoritative/caching DNS resolver with native DoQ server support
• Blocky — Best lightweight DNS proxy with ad blocking, web UI, and easy DoQ upstream configuration
• DNSCrypt-Proxy — Best for maximum privacy with diverse encrypted DNS sources and automatic server selection
• Stubby — Best minimal stub resolver for routing system DNS through DoQ upstreams

Knot Resolver: Full DNS Resolver with Native DoQ

Knot Resolver by CZ.NIC is a full-featured caching DNS resolver with native support for DNS-over-QUIC as both client and server. It’s built on the same foundation as Knot DNS (authoritative server), giving it enterprise-grade performance and correctness.

Key Features

• Full recursive resolver with DNSSEC validation
• Native DoQ server and client support
• DNS-over-TLS and DNS-over-HTTPS server support
• Lua scripting for custom policies
• Modular architecture with plugin system
• Built-in cache with persistent storage
• Management API via kresctl

Docker Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

version: "3.8"

services:
  knot-resolver:
    image: cznic/knot-resolver:latest
    container_name: knot-resolver
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "853:853/tcp"
      - "443:443/tcp"
    volumes:
      - ./knot-config.yaml:/etc/knot-resolver/config.yaml:ro
      - knot-cache:/var/cache/knot-resolver
    restart: unless-stopped
    cap_add:
      - NET_BIND_SERVICE

volumes:
  knot-cache:

DoQ Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

# /etc/knot-resolver/config.yaml
workers: 2

logging:
  level: info

network:
  listen:
    - interface: "@53"          # Plain DNS
    - interface: "@853"         # DNS-over-TLS
      kind: dot
    - interface: "@443"         # DNS-over-HTTPS
      kind: doh2
    - interface: "@853"         # DNS-over-QUIC (server)
      kind: doq

# Upstream DoQ resolvers for recursive queries
policy.add(policy.suffix(policy.FORWARD({
  'quic://dns.adguard.com',
  'quic://dns.quad9.net'
}), policy.suffix('.')).ttl)

When to Use Knot Resolver

Choose Knot Resolver when you need a full recursive resolver that can also serve DoQ queries to your network. It’s ideal for organizations or home labs that want to operate their own DNS infrastructure with complete control over caching, forwarding policies, and DNSSEC validation.

Blocky: Lightweight DNS Proxy with Ad Blocking and DoQ

Blocky is a fast, lightweight DNS proxy written in Go. It’s designed as an ad-blocking DNS server (like Pi-hole or AdGuard Home) but with a focus on performance, modern protocols, and a clean configuration format.

Key Features

• Built-in ad and tracker blocking via blocklists
• DNS-over-QUIC upstream support (quic:// prefix)
• DNS-over-QUIC server support for client queries
• Web UI for query logs and statistics
• Prometheus metrics endpoint
• Client-specific DNS configuration
• Conditional forwarding per domain
• Fast startup with parallel upstream checks

Docker Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: "3.8"

services:
  blocky:
    image: ghcr.io/0xerr0r/blocky:latest
    container_name: blocky
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "4000:4000/tcp"
    volumes:
      - ./config.yml:/app/config.yml:ro
    restart: unless-stopped
    cap_add:
      - NET_BIND_SERVICE

DoQ Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# config.yml
upstreams:
  groups:
    default:
      # DNS-over-QUIC upstreams
      - quic://dns.adguard.com
      - quic://dns.quad9.net
      - quic://one.one.one.one
      # Fallback to DoH
      - https://dns.google/dns-query
  strategy: parallel_best
  timeout: 2s
  quic:
    maxIdleTimeout: 30s

ports:
  dns: 53
  http: 4000

blocking:
  blackLists:
    ads:
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
      - https://raw.githubusercontent.com/crazy-max/blocklists/master/hosts/ads
  clientGroupsBlock:
    default:
      - ads

When to Use Blocky

Choose Blocky when you want an ad-blocking DNS proxy with DoQ support and a web UI. It’s the best choice for home networks that want content filtering, query logging, and encrypted upstream DNS in a single lightweight package. With over 6,500 GitHub stars and active development, it’s one of the most popular self-hosted DNS proxies.

DNSCrypt-Proxy: Maximum Privacy DNS Proxy

DNSCrypt-Proxy is the most established encrypted DNS proxy, supporting DNSCrypt, DoH, DoT, and DNS-over-QUIC (via HTTP/3). It automatically selects the fastest working resolver from a public server list, providing maximum privacy and reliability.

Key Features

• Automatic server selection and fallback
• DNSCrypt protocol support (unique to this tool)
• DoH, DoT, and HTTP/3 (QUIC) support
• Local caching for faster repeated queries
• Cloaking rules (redirect domains to specific IPs)
• Query logging with anonymization
• Parental control filters
• Load balancing across multiple resolvers
• Dynamic server list updates

Docker Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"

services:
  dnscrypt-proxy:
    image: ghcr.io/dnscrypt/dnscrypt-proxy:latest
    container_name: dnscrypt-proxy
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    volumes:
      - ./dnscrypt-proxy.toml:/config/dnscrypt-proxy.toml:ro
    restart: unless-stopped
    cap_add:
      - NET_BIND_SERVICE

DoQ Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# dnscrypt-proxy.toml
listen_addresses = ['0.0.0.0:53', '[::]:53']
max_clients = 250

# Enable HTTP/3 (QUIC) support
http3 = true

# Use servers that support QUIC/DoQ
# Server names from the public-resolvers list
server_names = ['cloudflare', 'cloudflare-ipv6', 'quad9-dnscrypt-ipv4-filter-pri']

# Require encrypted protocols only
dnscrypt_servers = true
doh_servers = true

# Server selection
lb_strategy = 'ph'
lb_estimator = 'log'

# Cache settings
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400

# Privacy
reject_ttl = 86400

# Query logging
[query_log]
  format = 'tsv'
  file = '/var/log/dnscrypt-proxy/query.log'

[static]
  [static.'my-doq-server']
    stamp = 'sdns://...your-doq-stamp-here...'

When to Use DNSCrypt-Proxy

Choose DNSCrypt-Proxy when you want automatic server selection with maximum privacy. It’s the only tool that supports the DNSCrypt protocol in addition to DoH/DoT/DoQ, giving you access to the widest range of encrypted DNS servers. With over 13,000 GitHub stars, it’s the most popular encrypted DNS proxy.

Stubby: Minimal DNS-over-QUIC Stub Resolver

Stubby is a lightweight DNS stub resolver built on the getdns API. It routes all system DNS queries through encrypted transports (DoT, DoH, DoQ) with automatic failover. It’s the simplest option for adding encrypted DNS to a Linux system.

Key Features

• Minimal resource footprint
• DNS-over-TLS, DoH, and DoQ support
• Automatic upstream failover
• Strict authentication (pins certificates)
• systemd integration
• Round-robin and randomized query distribution
• Compatible with system-resolved

Docker Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

version: "3.8"

services:
  stubby:
    image: ghcr.io/getdnsapi/stubby:latest
    container_name: stubby
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    volumes:
      - ./stubby.yml:/etc/stubby/stubby.yml:ro
    restart: unless-stopped
    network_mode: host

DoQ Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# stubby.yml
appdata_dir: /var/cache/stubby

listen_addresses:
  - 127.0.0.1
  - 0.0.0.0

dns_transport_list:
  - QUIC
  - TLS
  - UDP

tls_authentication: ENSURE_AUTHENTICATION

tls_query_padding_blocksize: 128

idle_timeout: 10000

getdns_query: /usr/bin/getdns_query

upstream_recursive_servers:
  # Cloudflare via DoQ
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: "..."
  # Quad9 via DoQ
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"

When to Use Stubby

Choose Stubby when you need a minimal stub resolver to encrypt all system DNS queries. It’s perfect for individual machines that want to use DoQ upstreams without running a full recursive resolver. Its small footprint makes it ideal for resource-constrained environments like Raspberry Pi or containers.

Performance Comparison

Based on published benchmarks and protocol characteristics:

DoQ latency advantage: Across all tools, DoQ queries are typically 20-40% faster than DoT for cold queries (no existing connection) because QUIC combines transport and TLS handshake into a single round trip, whereas DoT requires TCP handshake + TLS handshake (2 RTTs).

Choosing the Right DoQ Tool

For a home network with ad blocking: Use Blocky. It combines DoQ upstream support with built-in ad blocking, a web UI, and client-specific policies. The YAML configuration is straightforward and Docker deployment is simple. If you’re migrating from Pi-hole or AdGuard Home, check out our DNS filtering and content blocking guide for additional context.

For enterprise DNS infrastructure: Use Knot Resolver. It’s a full recursive resolver with DNSSEC, Lua scripting, and the ability to serve DoQ queries to your entire network. The investment in configuration complexity pays off in features and control.

For maximum privacy and redundancy: Use DNSCrypt-Proxy. Its automatic server selection, DNSCrypt support, and dynamic server list make it the most resilient option. If one resolver goes down, it seamlessly switches to another.

For individual machine encryption: Use Stubby. It’s the lightest option and integrates cleanly with systemd-resolved. Perfect for laptops, servers, or any single machine that needs encrypted DNS without the overhead of a full resolver.

Frequently Asked Questions

What is DNS-over-QUIC and how does it differ from DNS-over-TLS?

DNS-over-QUIC (DoQ) is an encrypted DNS protocol that uses the QUIC transport protocol (RFC 9250). Unlike DNS-over-TLS (DoT), which runs over TCP with a separate TLS handshake, DoQ uses UDP-based QUIC that combines transport and encryption in a single handshake. This reduces connection latency by eliminating the TCP handshake round trip, and QUIC’s multiplexing prevents head-of-line blocking that can affect TCP-based DNS.

Which public DNS resolvers support DNS-over-QUIC?

Several major public DNS providers support DoQ:

• AdGuard DNS: quic://dns.adguard.com (port 853)
• Quad9: quic://dns.quad9.net (port 853)
• Cloudflare: quic://one.one.one.one (port 443)
• Google Public DNS: quic://dns.google (port 443)

Can I run a DoQ server for my local network?

Yes. Both Knot Resolver and Blocky can act as DoQ servers, meaning they accept DoQ queries from clients on your network. Knot Resolver supports DoQ on port 853 with its kind: doq configuration. Blocky can serve DoQ queries when configured with the appropriate TLS certificates. This lets your devices use encrypted DNS internally, not just for upstream queries.

Is DNS-over-QUIC stable enough for production use?

Yes. DoQ was standardized as RFC 9250 in August 2022 and has seen widespread adoption. All four tools covered in this guide have production-ready DoQ implementations. The QUIC protocol itself is mature, being the foundation of HTTP/3. Major DNS providers including Cloudflare, Google, and Quad9 all operate production DoQ endpoints.

Do I need special firewall rules for DNS-over-QUIC?

DoQ uses UDP (unlike DoT which uses TCP). The standard ports are 853 and 443. You need to allow outbound UDP traffic on these ports from your resolver to the upstream DoQ servers. If you’re running a DoQ server, you need to allow inbound UDP on your chosen port. Some corporate firewalls may block non-standard UDP ports, so port 443 is often the safest choice for upstream connections.

Can I use DNS-over-QUIC with Pi-hole or AdGuard Home?

Pi-hole does not natively support DoQ as an upstream resolver. However, you can place a DoQ-capable stub resolver (like Stubby or DNSCrypt-Proxy) between Pi-hole and the internet: Pi-hole → Stubby (DoQ) → Internet. AdGuard Home has experimental DoQ support in recent versions. Blocky, which is similar to AdGuard Home, has full DoQ support built in.