DNS-over-QUIC Proxy is a lightweight local DNS forwarder for Windows that encrypts all your DNS queries using the DNS-over-QUIC (DoQ) protocol (RFC 9250). It runs quietly in the system tray, auto-configures your DNS settings, and restores them when you stop — zero hassle, full privacy.
- DNS Privacy & Encryption: Prevent your ISP or network operator from snooping on your DNS queries. All lookups are encrypted via QUIC — faster and more secure than traditional DNS-over-HTTPS (DoH).
- Ad Blocking & Filtering: Pair with providers like NextDNS or AdGuard DNS to block ads, trackers, and malware at the DNS level — system-wide, no browser extensions needed.
- Set-and-Forget Operation: Double-click to start, minimize to tray, and forget about it. Your DNS is encrypted. When you're done, quit from the tray and everything is restored automatically.
- DNS-over-QUIC (DoQ) — RFC 9250 compliant encrypted DNS forwarding over QUIC (port 853), offering lower latency than DoH/DoT.
- Auto DNS Configuration — Automatically sets Windows DNS to the local proxy on start, and restores original settings (DHCP) on exit.
- Connection Resilience — Smart connection management with generation tracking to prevent reconnection stampedes under load.
- System Tray Integration — Runs quietly in the background with a tray icon. Toggle console visibility, view version, or quit from the menu.
- Auto-Elevation — Automatically requests Administrator privileges (UAC) since DNS configuration requires it.
- Graceful Shutdown — Press
Ctrl+Cor click Quit from the tray — your DNS settings are always safely restored, even on panic.
┌──────────────┐ UDP ┌─────────────────┐ QUIC (853) ┌────────────────┐
│ Browser / │ ─────────────────▶ │ DNS-over-QUIC │ ──────────────────▶ │ NextDNS / │
│ Any App │ ◀───────────────── │ Proxy (local) │ ◀────────────────── │ AdGuard │
└──────────────┘ └─────────────────┘ └────────────────┘
127.0.0.1:53 Encrypted DNS
[::1]:53 Provider
- On launch, the proxy resolves your upstream DNS provider's IP addresses using your current DNS.
- Windows DNS is set to
127.0.0.1and::1, routing all system DNS traffic through the local proxy. - Every DNS query is forwarded over an encrypted QUIC connection (port 853) to your provider.
- On exit, DNS settings are automatically restored to DHCP/automatic.
- Windows 10/11
- A DNS-over-QUIC compatible provider (e.g., NextDNS, AdGuard DNS)
- Go 1.25+ (only if building from source)
- Download the latest
dns-proxy.exefrom the Releases page. - Create a
config.tomlin the same directory (or run once to auto-generate a template). - Edit
config.tomlwith your DNS endpoint. - Double-click
dns-proxy.exe— done! 🎉
# Clone the repository
git clone https://github.com/YudaKusumaID/dns-over-quic-proxy.git
cd dns-over-quic-proxy
# Copy and edit the config
cp config.example.toml config.toml
# Edit config.toml with your DNS provider details
# Build
go build -o dns-proxy.exe .
# Run
.\dns-proxy.exeCreate a config.toml file in the same directory as the executable:
[dns]
upstream = "abc123.dns.nextdns.io" # Your DoQ endpoint
listen_v4 = "127.0.0.1:53"
listen_v6 = "[::1]:53"| Field | Default | Description |
|---|---|---|
dns.upstream |
(required) | Your DNS-over-QUIC endpoint hostname (e.g., abc123.dns.nextdns.io) |
dns.listen_v4 |
127.0.0.1:53 |
IPv4 address for the local UDP listener |
dns.listen_v6 |
[::1]:53 |
IPv6 address for the local UDP listener |
Tip: If you don't have a config file, simply run the program once — it will generate a template for you.
Is my DNS traffic actually encrypted?
Yes. All DNS queries are forwarded over QUIC to port 853 of your upstream provider, encrypted with TLS 1.3. This is the DNS-over-QUIC (DoQ) protocol defined in RFC 9250 — more efficient than DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) due to QUIC's reduced handshake latency.
Does this work on Linux or macOS?
The core DNS forwarding logic is cross-platform, but automatic DNS configuration and system tray integration are currently Windows-only. On other platforms, you would need to manually set your DNS to 127.0.0.1 and run the binary with root/sudo.
What happens if the program crashes?
The proxy includes a panic recovery handler that attempts to restore your DNS settings even during unexpected crashes. If your DNS is stuck on 127.0.0.1 after a hard crash, you can fix it manually:
# Run in PowerShell as Administrator
Get-NetAdapter | Where-Object {$_.Status -eq 'Up'} | Set-DnsClientServerAddress -ResetServerAddressesWhy does it need Administrator privileges?
Changing Windows DNS settings and binding to port 53 (the standard DNS port) both require Administrator access. The program will automatically prompt for UAC elevation on launch.
Can I use this with NextDNS / AdGuard DNS?
Absolutely! Both NextDNS and AdGuard DNS support DNS-over-QUIC. Simply set your upstream in config.toml to your provider's DoQ endpoint:
- NextDNS:
abc123.dns.nextdns.io(replaceabc123with your configuration ID) - AdGuard DNS:
dns.adguard-dns.com
How do I check if the proxy is working?
After starting the proxy, open a browser and visit your DNS provider's test page (e.g., NextDNS Test or AdGuard DNS Test). It should confirm that your DNS queries are being routed through their service.
Contributions are welcome! Whether it's bug reports, feature requests, or pull requests — every bit helps.
- Fork the repository.
- Create your feature branch:
git checkout -b feature/amazing-feature - Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request.
Please check the Issues page for open tasks and bug reports.
This project is open-sourced software licensed under the MIT License.
This project is built with these amazing libraries:
- miekg/dns — Fast and flexible DNS library for Go.
- quic-go — Pure Go QUIC implementation.
- energye/systray — Cross-platform system tray library.
- BurntSushi/toml — TOML parser for Go.
Encrypt your DNS. Protect your privacy.