Knot DNS vs DNSdist vs Unbound: Self-Hosted DNS-over-QUIC Server Guide 2026

DNS-over-QUIC (DoQ) encrypts DNS queries using the QUIC transport protocol, providing privacy protection against eavesdropping and man-in-the-middle attacks. Unlike DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH), DoQ eliminates head-of-line blocking and reduces latency through QUIC’s 0-RTT connection establishment. This guide compares three self-hosted DNS servers that support DoQ: Knot DNS, DNSdist, and Unbound.

What Is DNS-over-QUIC?

DNS-over-QUIC (RFC 9250) wraps DNS messages inside QUIC streams, providing:

• Full encryption — queries and responses are encrypted end-to-end
• No head-of-line blocking — QUIC streams are independent
• Faster connection setup — 0-RTT for returning clients
• UDP-like performance — no TCP handshake overhead
• Port 853 — standardized port (same as DoT)

Knot DNS Resolver

Knot DNS Resolver (⭐ 300+) by CZ.NIC is a high-performance caching DNS resolver with built-in support for DoQ, DoT, and DoH. It is designed for speed and correctness, with a modular architecture.

Key Features

• Native DoQ support (RFC 9250)
• DNSSEC validation built-in
• Modular policy engine (RPZ, filtering, rewriting)
• High-performance LuaJIT-based event loop
• Prometheus metrics export

Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"
services:
  knot-resolver:
    image: cznic/knot-resolver:latest
    container_name: knot-resolver
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "853:853/tcp"
      - "853:853/udp"
    volumes:
      - ./kresd.conf:/etc/knot-resolver/kresd.conf
      - ./certs:/etc/knot-resolver/certs
    restart: unless-stopped

Configuration (kresd.conf):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

-- Enable DNS-over-QUIC
tls.server('0.0.0.0', {
  '/etc/knot-resolver/certs/server.pem',
  '/etc/knot-resolver/certs/server.key'
}, { protocols = 'quic' })

-- Forwarding to upstream resolvers
policy.add(policy.all(policy.TLS_FORWARD({
  {'1.1.1.1', hostname='cloudflare-dns.com'},
  {'8.8.8.8', hostname='dns.google'},
})))

-- Cache size
cache.size = 500 * MB

DNSdist

DNSdist (⭐ 4350+) by PowerDNS is a highly flexible DNS load balancer and proxy that supports DoQ, DoT, DoH, and DNSCrypt. While technically a front-end rather than a full resolver, it can act as a privacy-protecting DNS proxy.

Key Features

• Multi-protocol support (DoQ, DoT, DoH, DNSCrypt, plain DNS)
• Advanced query routing and load balancing
• Query filtering, rate limiting, and ACL support
• Real-time web console and Prometheus metrics
• Lua scripting for custom query processing

Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: "3.8"
services:
  dnsdist:
    image: pdns/pdns-dnsdist:latest
    container_name: dnsdist
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "853:853/tcp"
      - "853:853/udp"
      - "8083:8083/tcp"
    volumes:
      - ./dnsdist.conf:/etc/dnsdist/dnsdist.conf:ro
      - ./certs:/etc/dnsdist/certs:ro
    restart: unless-stopped

Configuration (dnsdist.conf):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

-- Add DoQ backend
addTLSLocal("0.0.0.0", "/etc/dnsdist/certs/server.pem", "/etc/dnsdist/certs/server.key", {doh=true, doq=true})

-- Define upstream resolvers
newServer({address="1.1.1.1:53", name="cloudflare", checkName="cloudflare-dns.com."})
newServer({address="8.8.8.8:53", name="google", checkName="dns.google."})

-- Set balancing policy
setServerPolicy(roundrobin)

-- Rate limiting
addAction(AllRule(), QPSPoolAction("default", 100))

-- Web console
controlSocket("0.0.0.0:8083")
webserver("0.0.0.0:8083", "changeme")

Unbound

Unbound (⭐ 4480+) by NLnet Labs is a validating, recursive, caching DNS resolver with DoQ support added in version 1.18+. It is widely deployed and known for its security track record.

Key Features

• Full recursive resolver with DNSSEC validation
• DoQ support since version 1.18
• DNS-over-TLS and DNS-over-HTTPS
• Response Policy Zones (RPZ) support
• Low memory footprint

Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"
services:
  unbound:
    image: mvance/unbound:latest
    container_name: unbound
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "853:853/tcp"
      - "853:853/udp"
    volumes:
      - ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
      - ./certs:/opt/unbound/etc/unbound/certs:ro
    restart: unless-stopped

Configuration (unbound.conf):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

server:
  interface: 0.0.0.0
  port: 53
  do-quic: yes
  quic-port: 853
  tls-cert-bundle: /opt/unbound/etc/unbound/certs/server.pem
  tls-service-key: /opt/unbound/etc/unbound/certs/server.key
  
  # DNSSEC
  harden-dnssec-stripped: yes
  val-permissive-mode: no
  
  # Cache
  cache-min-ttl: 300
  cache-max-ttl: 86400
  msg-cache-size: 256m
  rrset-cache-size: 512m

  # Upstream forward zones
  forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 8.8.8.8@853#dns.google
    forward-tls-upstream: yes

Comparison Table

Which DNS-over-QUIC Server Should You Choose?

Choose Knot DNS Resolver if you need a high-performance caching resolver with native DoQ support and flexible policy-based query handling. Best for organizations that want a dedicated resolver with advanced filtering capabilities.

Choose DNSdist if you need a front-end proxy that distributes queries across multiple resolvers with load balancing, rate limiting, and multi-protocol support. Best for large deployments requiring query routing flexibility.

Choose Unbound if you want a battle-tested recursive resolver with DNSSEC validation and DoQ support. Best for privacy-conscious users who prioritize security and stability over cutting-edge features.

Why Self-Host Your DNS-over-QUIC Server?

Running your own DoQ server gives you complete control over query logging, upstream resolvers, and filtering policies. Public DoQ providers may log your queries or apply censorship. Self-hosting ensures your DNS traffic stays private. For a complete DNS privacy setup, see our DNS-over-TLS resolver guide and DNS filtering with Pi-hole.

FAQ

What is the difference between DoQ and DoT?

Both encrypt DNS queries, but DoQ uses QUIC (UDP-based) while DoT uses TCP with TLS. DoQ eliminates head-of-line blocking since QUIC streams are multiplexed independently. DoQ also supports 0-RTT connection resumption, making it faster for returning clients.

Which port does DNS-over-QUIC use?

DoQ uses port 853, the same as DNS-over-TLS. The protocol is negotiated during the QUIC handshake. If your firewall blocks UDP port 853, DoQ will fall back to DoT over TCP.

Can I run DoQ alongside DoT and DoH on the same server?

Yes. All three servers support running multiple protocols simultaneously. Knot DNS Resolver and DNSdist can listen for DoQ, DoT, and DoH on the same IP with different ports. Unbound supports all three but requires separate configuration sections.

Do I need a TLS certificate for DNS-over-QUIC?

Yes. DoQ requires a TLS certificate to establish the QUIC connection. You can use a Let’s Encrypt certificate or a self-signed one. For self-signed certs, clients must be configured to trust the certificate fingerprint.

Is DNS-over-QUIC faster than DNS-over-HTTPS?

Generally yes. DoQ avoids the HTTP/2 framing overhead of DoH and uses UDP-based QUIC which has lower latency than TCP-based HTTPS. The difference is most noticeable on high-latency networks where QUIC’s 0-RTT connection setup provides a significant advantage.

Does DNS-over-QUIC prevent DNS spoofing?

DoQ encrypts the query and response, preventing network-level spoofing and eavesdropping. However, it does not replace DNSSEC — you still need DNSSEC validation to ensure the DNS data itself has not been tampered with by an authoritative server.