DNSCrypt
diff --git a/‎README.md‎
Lines changed: 82 additions & 2 deletions b/‎README.md‎
Lines changed: 82 additions & 2 deletions
diff --git a/‎src/config.rs‎
Lines changed: 42 additions & 0 deletions b/‎src/config.rs‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎src/libdoh/Cargo.toml‎
Lines changed: 3 additions & 0 deletions b/‎src/libdoh/Cargo.toml‎
Lines changed: 3 additions & 0 deletions
@@ -4,9 +4,9 @@
 [![Rust](https://img.shields.io/badge/rust-%23000000.svg?style=flat&logo=rust&logoColor=white)](https://www.rust-lang.org/)
 [![Crates.io](https://img.shields.io/crates/v/doh-proxy.svg)](https://crates.io/crates/doh-proxy)
 
-A fast and secure DoH (DNS-over-HTTPS) and ODoH (Oblivious DoH) server.
+A fast and secure DoH (DNS-over-HTTPS), DoQ (DNS-over-QUIC), and ODoH (Oblivious DoH) server.
 
-`doh-proxy` is written in Rust, and has been battle-tested in production since February 2018. It doesn't do DNS resolution on its own, but can sit in front of any DNS resolver in order to augment it with DoH support.
+`doh-proxy` is written in Rust, and has been battle-tested in production since February 2018. It doesn't do DNS resolution on its own, but can sit in front of any DNS resolver in order to augment it with DoH, DoQ, and ODoH support.
 
 ## Table of Contents
 
@@ -56,6 +56,7 @@ A fast and secure DoH (DNS-over-HTTPS) and ODoH (Oblivious DoH) server.
 ## Features
 
 - **DNS-over-HTTPS (DoH)** - Encrypts DNS queries using HTTPS
+- **DNS-over-QUIC (DoQ)** - Encrypts DNS queries using QUIC protocol (RFC 9250)
 - **JSON API Support** - Compatible with Google DNS-over-HTTPS JSON API format
 - **Oblivious DoH (ODoH)** - Provides additional privacy by hiding client IP addresses
 - **EDNS Client Subnet** - Forward client IP information to upstream resolvers for geo-optimized responses
@@ -139,6 +140,9 @@ OPTIONS:
     --enable-ecs                              Enable EDNS Client Subnet
     --ecs-prefix-v4 <ecs_prefix_v4>         IPv4 prefix length for EDNS Client Subnet [default: 24]
     --ecs-prefix-v6 <ecs_prefix_v6>         IPv6 prefix length for EDNS Client Subnet [default: 56]
+    --enable-doq                             Enable DNS-over-QUIC (DoQ) server on UDP port 853
+    --doq-port <doq_port>                    UDP port for DNS-over-QUIC server [default: 853]
+    --doq-idle-timeout <doq_idle_timeout>    Idle timeout for DoQ connections in seconds [default: 30]
 ```
 
 ### Example Configurations
@@ -170,6 +174,17 @@ doh-proxy -H 'doh.example.com' \
 doh-proxy -H 'doh.example.com' -u 127.0.0.1:53 -l 127.0.0.1:3000
 ```
 
+**With DNS-over-QUIC (DoQ) support:**
+```sh
+doh-proxy -H 'doh.example.com' \
+          -u 127.0.0.1:53 \
+          -i /path/to/cert.pem \
+          -I /path/to/key.pem \
+          --enable-doq \
+          --doq-port 853
+```
+This enables both DoH on HTTPS port and DoQ on UDP port 853.
+
 ## Deployment Architectures
 
 ### Behind a Reverse Proxy (Recommended)
@@ -409,6 +424,71 @@ curl -H "X-Forwarded-For: 1.2.3.4" \
 
 For maximum privacy, avoid enabling ECS or use larger prefix values (smaller subnets) like /8 for IPv4 or /32 for IPv6.
 
+## DNS-over-QUIC (DoQ)
+
+### Overview
+
+DNS-over-QUIC (DoQ) is specified in RFC 9250 and provides DNS transport over the QUIC protocol. It offers similar privacy properties to DoH but with improved performance characteristics:
+
+- **Zero Round-Trip Time (0-RTT)**: Faster connection establishment for returning clients
+- **No Head-of-Line Blocking**: Independent stream delivery prevents one slow query from blocking others
+- **Connection Migration**: Maintains connections even when client IP addresses change
+- **Lower Latency**: QUIC's efficient packet loss recovery and congestion control
+
+### Configuration
+
+Enable DoQ support with the following command-line options:
+
+- `--enable-doq` - Enable DNS-over-QUIC server
+- `--doq-port <port>` - UDP port for DoQ (default: 853)
+- `--doq-idle-timeout <seconds>` - Connection idle timeout (default: 30)
+
+### Examples
+
+**Basic DoQ setup:**
+```sh
+doh-proxy -H 'dns.example.com' \
+          -u 127.0.0.1:53 \
+          -i /path/to/cert.pem \
+          -I /path/to/key.pem \
+          --enable-doq
+```
+
+**DoQ with custom port and timeout:**
+```sh
+doh-proxy -H 'dns.example.com' \
+          -u 127.0.0.1:53 \
+          -i /path/to/cert.pem \
+          -I /path/to/key.pem \
+          --enable-doq \
+          --doq-port 8853 \
+          --doq-idle-timeout 60
+```
+
+**Combined DoH and DoQ:**
+```sh
+doh-proxy -H 'dns.example.com' \
+          -u 127.0.0.1:53 \
+          -l 0.0.0.0:443 \
+          -i /path/to/cert.pem \
+          -I /path/to/key.pem \
+          --enable-doq
+```
+This configuration serves DoH on TCP port 443 and DoQ on UDP port 853.
+
+### Client Configuration
+
+DoQ clients can connect using:
+- Protocol: DNS-over-QUIC (RFC 9250)
+- Port: UDP 853 (default)
+- ALPN: "doq"
+
+### Requirements
+
+- TLS certificates are required (same certificates used for DoH)
+- UDP port 853 must be accessible (or custom port if configured)
+- QUIC uses UDP, ensure firewalls allow UDP traffic
+
 ## Oblivious DoH (ODoH)
 
 Oblivious DoH is similar to Anonymized DNSCrypt, but for DoH. It requires relays, but also upstream DoH servers that support the protocol.
 
@@ -169,6 +169,26 @@ pub fn parse_opts(globals: &mut Globals) {
                 .num_args(1)
                 .default_value("56")
                 .help("EDNS Client Subnet prefix length for IPv6 addresses"),
+        )
+        .arg(
+            Arg::new("enable_doq")
+                .long("enable-doq")
+                .action(SetTrue)
+                .help("Enable DNS-over-QUIC (DoQ) server on UDP port 853"),
+        )
+        .arg(
+            Arg::new("doq_port")
+                .long("doq-port")
+                .num_args(1)
+                .default_value("853")
+                .help("UDP port for DNS-over-QUIC server"),
+        )
+        .arg(
+            Arg::new("doq_idle_timeout")
+                .long("doq-idle-timeout")
+                .num_args(1)
+                .default_value("30")
+                .help("Idle timeout for DoQ connections in seconds"),
         );
 
     #[cfg(feature = "tls")]
@@ -299,6 +319,7 @@ pub fn parse_opts(globals: &mut Globals) {
     globals.disable_post = matches.get_flag("disable_post");
     globals.allow_odoh_post = matches.get_flag("allow_odoh_post");
     globals.enable_ecs = matches.get_flag("enable_ecs");
+    globals.enable_doq = matches.get_flag("enable_doq");
 
     // Parse ECS prefix lengths
     let ecs_prefix_v4_str = matches
@@ -321,6 +342,27 @@ pub fn parse_opts(globals: &mut Globals) {
         ))
     });
 
+    // Parse DoQ configuration
+    let doq_port_str = matches
+        .get_one::<String>("doq_port")
+        .expect("doq_port has a default value");
+    globals.doq_port = doq_port_str.parse().unwrap_or_else(|e| {
+        exit_with_error(&format!(
+            "Invalid DoQ port '{}': {}",
+            doq_port_str, e
+        ))
+    });
+
+    let doq_idle_timeout_str = matches
+        .get_one::<String>("doq_idle_timeout")
+        .expect("doq_idle_timeout has a default value");
+    globals.doq_idle_timeout = doq_idle_timeout_str.parse().unwrap_or_else(|e| {
+        exit_with_error(&format!(
+            "Invalid DoQ idle timeout '{}': {}",
+            doq_idle_timeout_str, e
+        ))
+    });
+
     #[cfg(feature = "tls")]
     {
         globals.tls_cert_path = matches
 
@@ -43,6 +43,9 @@ tokio-rustls = { version = "^0.24.1", features = [
     "early-data",
 ], optional = true }
 rustls-pemfile = "^1.0.4"
+quiche = { version = "0.21", features = ["boringssl-vendored"] }
+ring = "0.17"
+mio = { version = "1.0", features = ["net", "os-poll"] }
 
 [profile.release]
 codegen-units = 1