Service Endpoints
DNS-over-QUIC (DoQ): dns.practicallyunhackable.com (UDP port 853)
IP Address: 128.254.206.25
Test example (using kdig): kdig @dns.practicallyunhackable.com -p 853 +quic example.com
Cryptographic Algorithms
Pure Post-Quantum: NIST FIPS 203 ML-KEM (ML-KEM512, ML-KEM768, ML-KEM1024) - covering NIST security levels 1, 3, and 5
Hybrid Post-Quantum: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024 - maximum compatibility for 2026-2030
Classical Cryptography: secp384r1, secp521r1 - legacy fallback support
Why DNS-over-QUIC?
DoQ combines the privacy benefits of encrypted DNS with QUIC's performance advantages: reduced latency, improved connection migration, and better packet loss recovery compared to DoT.
QUIC's built-in encryption and multiplexing make it ideal for modern DNS resolution, especially on mobile networks with variable connectivity.
How We Did Better
In December 2025, AdGuard DNS became the world's first provider of post-quantum cryptography for DNS-over-QUIC. Their service uses the Hybrid X25519MLKEM768 algorithm (combining classical X25519 with post-quantum ML-KEM768) and requires installation of their compatible client.
In January 2026, I determined that no provider—including AdGuard, Cloudflare, Google, NextDNS, or ControlD—had implemented pure post-quantum cryptography algorithms. Dissatisfied with available options, I rebuilt a DoQ service from scratch.
End Result: As of January 25, 2026, this proof-of-concept at Practically Unhackable is the world's first and only DoQ service offering pure post-quantum cryptography alongside extensive hybrid and classical algorithm support. This service is prepared for the quantum threat timeline through 2030, 2035, and beyond.
Quick Setup
Linux (using kdig from knot-dnsutils)
kdig @dns.practicallyunhackable.com -p 853 +quic example.comStubby (DNS Privacy Daemon)
Edit /etc/stubby/stubby.yml to add DoQ upstream:
upstream_recursive_servers:
- address_data: 128.254.206.25
tls_port: 853
tls_auth_name: "dns.practicallyunhackable.com"
tls_transport: QUICNote: In case you have a problem with Stubby, please send me a message and I will try to fix it.
AdGuard Home
Add as upstream DNS server: quic://dns.practicallyunhackable.com:853
dnsproxy
dnsproxy -u quic://dns.practicallyunhackable.com:853Note: In case you have a problem with any of these clients, please send me a message (with the version number) and I will try to fix it. I have not tested all clients yet.
Technical Specifications
DoQ: RFC 9250 (DNS over Dedicated QUIC Connections)
QUIC: RFC 9000, UDP port 853
Post-Quantum: NIST FIPS 203 ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
Features: DNSSEC validation, IPv4 and IPv6 support, no logging, 0-RTT resumption, no monthly quota!
Security Levels: ML-KEM512 (Level 1), ML-KEM768 (Level 3), ML-KEM1024 (Level 5)
Verification
Test connectivity: kdig @dns.practicallyunhackable.com -p 853 +quic google.com
Verify encryption: Check for successful QUIC handshake in packet captures or client debug output
DNS leak test: DNS Leak Test (should show Practically Unhackable or hosting in the Netherlands)
Client Compatibility
Full Support: kdig (Knot DNS), dnsproxy, Stubby (with DoQ support), AdGuard Home
Developing Support: Major browsers and OS vendors are evaluating DoQ implementation
Note: DoQ is newer than DoH/DoT. For maximum compatibility across all devices, continue using our DoH/DoT services.
Privacy Commitment
Zero logging. Zero tracking. No profiling. Based on Amnesic Computing Principles.
Disclaimer
This is a research project and a proof-of-concept. Not a commercial services. Services provided as-is for privacy-conscious users and quantum-resistant DNS research.
The Post-Quantum Timeline
2026-2028: Hybrid algorithms provide transition security while pure PQ algorithms mature
2030-2035: Pure post-quantum becomes standard as quantum computers advance
2035+: Quantum-safe cryptography essential for long-term data protection
This service is prepared for all phases of the post-quantum transition.