AdGuard DNS now supports post-quantum cryptography. Here’s what that means
Version 2.19 marks another important step in strengthening security for the near future: once again, AdGuard DNS steps ahead of the curve, becoming the first DNS service to bring client-side post-quantum cryptography and joining a very short list of early adopters of the technology — just behind Google and Cloudflare.
We’ve already explained how post-quantum cryptography works in an article on our VPN blog. Here, we’ll briefly recap the key concepts and explain how this technology is implemented in AdGuard DNS.
How post-quantum cryptography keeps your data safe
To keep DNS traffic secure, encryption must protect not only the data itself but also the way encryption keys are exchanged between the client and the server. While modern algorithms are extremely strong, future quantum computers will be able to break today’s key-exchange methods, making encrypted connections vulnerable.
Post-quantum cryptography addresses this risk by using algorithms designed to withstand quantum attacks. For DNS, this means stronger protection for client-server connections such as DoT, DoH, and DoQ, as well as for critical infrastructure components like DNSSEC — ensuring DNS privacy remains reliable in the long term.
How does it work?
AdGuard DNS uses a hybrid encryption method called X25519MLKEM768, the same approach used in Chrome and other Chromium-based browsers.
X25519provides the standard encryption algorithm.ML-KEM768adds post-quantum security.
What does this mean?
- This greatly increases protection because the combined key from both algorithms is virtually impossible to crack, even by quantum computers.
- Even if vulnerabilities are found in the post-quantum
ML-KEM768algorithm, the trustedX25519algorithm will still provide security.
How to start using it
Starting with version 2.19, post-quantum cryptography is enabled by default in AdGuard DNS. However, to use this feature, you must connect to a DNS server through one of the AdGuard apps, as most OSes don’t support it natively. We’re still preparing the apps to be fully compatible with post-quantum cryptography, and currently, they are being tested. To try it now, you can download the latest Nightly builds — just keep in mind they may be unstable:
- AdGuard for Windows v8.0.0 Nightly 22
- AdGuard for Android v4.14 Nightly 23
- AdGuard for Mac v2.18.0.2090 Nightly
This feature isn’t available when you connect to a DNS server through one of AdGuard VPN apps yet, but it’s coming soon. Once it’s rolled out, it will be enabled automatically when you turn on post-quantum cryptography in the app.
To confirm that it’s active, visit our test page and scroll down to the AdGuard DNS section. The status PQC: enabled indicates that you’re fully protected.
We’d love to get your feedback and suggestions on GitHub. If you want, you can also reach us out on social media, we’re on multiple platforms.
