Quantum computing poses a critical threat to the cryptographic foundations of DNS protocols. This paper introduces PQC-DNS—the first unified testing framework supporting classical, post-quantum (PQC), and hybrid cryptographic configurations. Built upon Open Quantum Safe, it integrates MLKEM, Falcon, and SPHINCS+, and modifies BIND9 alongside the TLS 1.3 stack to enable system-level security and performance evaluation of DNSSEC, DNS-over-TLS (DoT), and DNS-over-HTTPS (DoH) under realistic deployment conditions. We present the first empirical analysis of how these three PQC schemes differentially impact end-to-end DNS latency, bandwidth consumption, and computational overhead: Falcon and MLKEM exhibit favorable trade-offs, whereas SPHINCS+ substantially inflates message sizes and introduces denial-of-service amplification risks. Furthermore, we propose practical mitigation strategies against quantum downgrade attacks and support for fragmented, incremental PQC deployment—providing empirically grounded guidance and an engineering roadmap for the smooth transition of DNS infrastructure to the post-quantum era.

The Domain Name System (DNS) plays a foundational role in Internet infrastructure, yet its core protocols remain vulnerable to compromise by quantum adversaries. As cryptographically relevant quantum computers become a realistic threat, ensuring DNS confidentiality, authenticity, and integrity in the post-quantum era is imperative. In this paper, we present a comprehensive system-level study of post-quantum DNS security across three widely deployed mechanisms: DNSSEC, DNS-over-TLS (DoT), and DNS-over-HTTPS (DoH). We propose Post-Quantum Cryptographic (PQC)-DNS, a unified framework for benchmarking DNS security under legacy, post-quantum, and hybrid cryptographic configurations. Our implementation leverages the Open Quantum Safe (OQS) libraries and integrates lattice- and hash-based primitives into BIND9 and TLS 1.3 stacks. We formalize performance and threat models and analyze the impact of post-quantum key encapsulation and digital signatures on end-to-end DNS resolution. Experimental results on a containerized testbed reveal that lattice-based primitives such as Module-Lattice-Based Key-Encapsulation Mechanism (MLKEM) and Falcon offer practical latency and resource profiles, while hash-based schemes like SPHINCS+ significantly increase message sizes and processing overhead. We also examine security implications including downgrade risks, fragmentation vulnerabilities, and susceptibility to denial-of-service amplification. Our findings inform practical guidance for deploying quantum-resilient DNS and contribute to the broader effort of securing core Internet protocols for the post-quantum future.