How to enforce DoH/3 over DoH/2? How to use DoQ?

[ghost]

The latest version of DNSCrypt-Proxy says that DNS-over-HTTPS/2 are automatically upgraded to DNS-over-HTTPS/3 if the selected DNS server supports, but such isn't the case.

In AdGuard Home, DoH/3 is enforced by using h3 links and the following servers fully support DoH/3 over UDP port 443:
h3://94.140.14.14/dns-query
h3://94.140.14.15/dns-query
h3://94.140.15.15/dns-query
h3://94.140.15.16/dns-query
h3://94.140.14.140/dns-query
h3://94.140.14.141/dns-query
h3://1.1.1.1/dns-query
h3://1.0.0.1/dns-query
h3://1.1.1.2/dns-query
h3://1.0.0.2/dns-query
h3://1.1.1.3/dns-query
h3://1.0.0.3/dns-query

DNSCrypt does not list DoH/3 for generation of SDNS stamps. When I use SDNS stamps for DoH/2 in DNSCrypt-Proxy for the list of IP addresses I mention above, DoH/2 connections are are not upgraded to DoH/3. How do I enforce DoH/3 instead of DoH/2 with DNSCrypt-Proxy?

Does DNSCrypt-Proxy support DoQ? How do I generate SDNS stamps for DoQ?

[ghost]

DoQ isn't supported.

DoH3 is automatically used if http3 = true is set in the config file and the server supports it and it notifies DNSCrypt-Proxy about that in a supported way.

(@jedisct1 The config file should probably not mention QUIC, people always mistake it for DoQ.)

[ghost]

I do have "http3=true" and the SDNS stamp I use for AdGuard server that does support DoH/3 over UDP port 443 is "sdns://BAcAAAAAAAAADDk0LjE0MC4xNC4xNAATZG5zLmFkZ3VhcmQtZG5zLmNvbQ" , but DNSCrypt-Proxy limits it to regular DoH/2 over TCP port 443. How does a server notify DNSCrypt-Proxy about its DoH/3 capabilities? Normally, in browsers, the client is the one that sets a flag for HTTP/3 and ALPN, but I guess that is what "http3=true" does.

Can you give me an example of a server that you tested that switches to HTTP/3, please?

DoH/2, DoT, and DoQ stamps for IP of the same DNS servers differ. Why can't DoH/3 have its own unique SDNS stamps?

Also, does DNSCrypto-Proxy enforce 0-RTT for DoH/3? I ask because 0-RTT (also known as TLS resumption) creates a problem for Perfect Forward Secrecy.

[iJorgen]

Why can't DoH/3 have its own unique SDNS stamps?

This was exactly what I was searching for too... Is there any way to encode a DNS-stamp to become a h3:// link when decoded?

[jedisct1]

The server should return an Alt-Svc: h3=443 header in order to indicate that it supports HTTP/3.

Here's how to do it with Nginx: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/#configuration

Can you give me an example of a server that you tested that switches to HTTP/3, please?

google.

[jedisct1]

0RTT is disabled.