Implement support for DNS over QUIC
DNS-over-QUIC, specified in RFC 9250, has considerable advantages over the already-implemented options.
- With the debatable exception of DoH and HTTP/3, it is the only standardized encrypted DNS protocol to operate over UDP.
- It avoids issues such as head-of-line blocking and potential for amplification attacks.
- It avoids the overhead of DNS-over-HTTPS.
DNS-over-QUIC should be offered wherever DNS-over-HTTPS or DNS-over-TLS is, at minimum. Its use should be encouraged over the others where applicable.
RFC 9250 emphasizes the following scopes of usage:
- the "stub to recursive resolver" scenario (also called the "stub to recursive" scenario in this document)
- the "recursive resolver to authoritative nameserver" scenario (also called the "recursive to authoritative" scenario in this document), and
- the "nameserver to nameserver" scenario (mainly used for zone transfers (XFR) RFC1995 RFC5936).
I believe that covers every function of BIND.
While not specific to DNS-over-QUIC, the implementation should be designed with future support for non-standard ports and SVBC records in mind. 53/udp is explicitly banned for use with this protocol, but it should eventually be possible to use any other non-standard port rather than 853/udp.