Existing DNS privacy protocols struggle to simultaneously achieve strong privacy and low latency: Oblivious DNS schemes prioritize anonymity but incur high latency, while DNS-over-QUIC improves performance at the cost of exposing the client’s IP address. This paper proposes ODoQ—the first privacy-preserving DNS protocol that integrates Oblivious DNS with QUIC. ODoQ establishes an end-to-end private channel via encrypted proxy relaying, QUIC session resumption, and forward-secure key negotiation. The proxy conceals user identity and thwarts traffic analysis, while QUIC’s underlying transport ensures low-latency communication. Experimental evaluation under typical network conditions shows that ODoQ reduces end-to-end latency by over 30% compared to Oblivious DoH, while guaranteeing that recursive resolvers cannot learn the client’s real IP address. ODoQ thus achieves, for the first time, a synergistic optimization of DNS privacy and performance.

The Domain Name System (DNS), which converts domain names to their respective IP addresses, has advanced enhancements aimed at safeguarding DNS data and users' identity from attackers. The recent privacy-focused advancements have enabled the IETF to standardize several protocols. Nevertheless, these protocols tend to focus on either strengthening user privacy (like Oblivious DNS and Oblivious DNS-over-HTTPS) or reducing resolution latency (as demonstrated by DNS-over-QUIC). Achieving both within a single protocol remains a key challenge, which we address in this paper. Our proposed protocol -- 'Oblivious DNS-over-QUIC' (ODoQ) -- leverages the benefits of the QUIC protocol and incorporates an intermediary proxy server to protect the client's identity from exposure to the recursive resolver.