diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc986774..0a29640a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,8 @@ and this project adheres to
 
 ### Changed
 
+- The default DNS-over-QUIC port number is now `853` instead of `754` in
+  accoradance with the latest [RFC draft][doq-draft-10] ([#4276]).
 - Reverse DNS now has a greater priority as the source of runtime clients'
   informmation than ARP neighborhood.
 - Improved detection of runtime clients through more resilient ARP processing
@@ -103,8 +105,10 @@ In this release, the schema version has changed from 12 to 13.
 [#4216]: https://github.com/AdguardTeam/AdGuardHome/issues/4216
 [#4221]: https://github.com/AdguardTeam/AdGuardHome/issues/4221
 [#4238]: https://github.com/AdguardTeam/AdGuardHome/issues/4238
+[#4276]: https://github.com/AdguardTeam/AdGuardHome/issues/4276
 
-[repr]: https://reproducible-builds.org/docs/source-date-epoch/
+[repr]:         https://reproducible-builds.org/docs/source-date-epoch/
+[doq-draft-10]: https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dnsoquic-10#section-10.2
 
 
 
@@ -234,7 +238,7 @@ See also the [v0.107.0 GitHub milestone][ms-v0.107.0].
 - New possible value of `6h` for `querylog_interval` setting ([#2504]).
 - Blocking access using ClientIDs ([#2624], [#3162]).
 - `source` directives support in `/etc/network/interfaces` on Linux ([#3257]).
-- RFC 9000 support in DNS-over-QUIC.
+- [RFC 9000][rfc-9000] support in QUIC.
 - Completely disabling statistics by setting the statistics interval to zero
   ([#2141]).
 - The ability to completely purge DHCP leases ([#1691]).
@@ -459,6 +463,7 @@ In this release, the schema version has changed from 10 to 12.
 [#3933]: https://github.com/AdguardTeam/AdGuardHome/pull/3933
 
 [ms-v0.107.0]: https://github.com/AdguardTeam/AdGuardHome/milestone/23?closed=1
+[rfc-9000]:    https://datatracker.ietf.org/doc/html/rfc9000
 
 
 
diff --git a/internal/home/config.go b/internal/home/config.go
index c018f16e..c81de19e 100644
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -292,18 +292,20 @@ func parseConfig() (err error) {
 	uc := aghalg.UniqChecker{}
 	addPorts(
 		uc,
-		config.BindPort,
-		config.BetaBindPort,
-		config.DNS.Port,
+		tcpPort(config.BindPort),
+		tcpPort(config.BetaBindPort),
+		udpPort(config.DNS.Port),
 	)
 
 	if config.TLS.Enabled {
 		addPorts(
 			uc,
-			config.TLS.PortHTTPS,
-			config.TLS.PortDNSOverTLS,
-			config.TLS.PortDNSOverQUIC,
-			config.TLS.PortDNSCrypt,
+			// TODO(e.burkov):  Consider adding a udpPort with the same value if
+			// we ever support the HTTP/3 for web admin interface.
+			tcpPort(config.TLS.PortHTTPS),
+			tcpPort(config.TLS.PortDNSOverTLS),
+			udpPort(config.TLS.PortDNSOverQUIC),
+			tcpPort(config.TLS.PortDNSCrypt),
 		)
 	}
 	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
@@ -321,11 +323,23 @@ func parseConfig() (err error) {
 	return nil
 }
 
-// addPorts is a helper for ports validation.  It skips zero ports.
-func addPorts(uc aghalg.UniqChecker, ports ...int) {
+// udpPort is the port number for UDP protocol.
+type udpPort int
+
+// tcpPort is the port number for TCP protocol.
+type tcpPort int
+
+// addPorts is a helper for ports validation.  It skips zero ports.  Each of
+// ports should be either a udpPort or a tcpPort.
+func addPorts(uc aghalg.UniqChecker, ports ...interface{}) {
 	for _, p := range ports {
-		if p != 0 {
-			uc.Add(p)
+		switch p := p.(type) {
+		case tcpPort, udpPort:
+			if p != 0 {
+				uc.Add(p)
+			}
+		default:
+			// Go on.
 		}
 	}
 }
diff --git a/internal/home/controlinstall.go b/internal/home/controlinstall.go
index 98cbf31a..0435651b 100644
--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -109,7 +109,7 @@ func (req *checkConfReq) validateWeb(uc aghalg.UniqChecker) (err error) {
 	defer func() { err = errors.Annotate(err, "validating ports: %w") }()
 
 	port := req.Web.Port
-	addPorts(uc, config.BetaBindPort, port)
+	addPorts(uc, tcpPort(config.BetaBindPort), tcpPort(port))
 	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
 		// Avoid duplicating the error into the status of DNS.
 		uc[port] = 1
@@ -135,7 +135,7 @@ func (req *checkConfReq) validateDNS(uc aghalg.UniqChecker) (canAutofix bool, er
 	defer func() { err = errors.Annotate(err, "validating ports: %w") }()
 
 	port := req.DNS.Port
-	addPorts(uc, port)
+	addPorts(uc, udpPort(port))
 	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
 		return false, err
 	}
diff --git a/internal/home/dns.go b/internal/home/dns.go
index d676f6af..c30e12ec 100644
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -25,7 +25,7 @@ const (
 	defaultPortDNS   = 53
 	defaultPortHTTP  = 80
 	defaultPortHTTPS = 443
-	defaultPortQUIC  = 784
+	defaultPortQUIC  = 853
 	defaultPortTLS   = 853
 )
 
diff --git a/internal/home/home.go b/internal/home/home.go
index 7096be78..4e4d3aee 100644
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -305,17 +305,17 @@ func setupConfig(args options) (err error) {
 		uc := aghalg.UniqChecker{}
 		addPorts(
 			uc,
-			args.bindPort,
-			config.BetaBindPort,
-			config.DNS.Port,
+			tcpPort(args.bindPort),
+			tcpPort(config.BetaBindPort),
+			udpPort(config.DNS.Port),
 		)
 		if config.TLS.Enabled {
 			addPorts(
 				uc,
-				config.TLS.PortHTTPS,
-				config.TLS.PortDNSOverTLS,
-				config.TLS.PortDNSOverQUIC,
-				config.TLS.PortDNSCrypt,
+				tcpPort(config.TLS.PortHTTPS),
+				tcpPort(config.TLS.PortDNSOverTLS),
+				udpPort(config.TLS.PortDNSOverQUIC),
+				tcpPort(config.TLS.PortDNSCrypt),
 			)
 		}
 		if err = uc.Validate(aghalg.IntIsBefore); err != nil {
diff --git a/internal/home/tls.go b/internal/home/tls.go
index eeffe3b6..fe595e98 100644
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -253,13 +253,13 @@ func (t *TLSMod) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 		uc := aghalg.UniqChecker{}
 		addPorts(
 			uc,
-			config.BindPort,
-			config.BetaBindPort,
-			config.DNS.Port,
-			setts.PortHTTPS,
-			setts.PortDNSOverTLS,
-			setts.PortDNSOverQUIC,
-			setts.PortDNSCrypt,
+			tcpPort(config.BindPort),
+			tcpPort(config.BetaBindPort),
+			udpPort(config.DNS.Port),
+			tcpPort(setts.PortHTTPS),
+			tcpPort(setts.PortDNSOverTLS),
+			udpPort(setts.PortDNSOverQUIC),
+			tcpPort(setts.PortDNSCrypt),
 		)
 
 		err = uc.Validate(aghalg.IntIsBefore)
@@ -346,13 +346,13 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 		uc := aghalg.UniqChecker{}
 		addPorts(
 			uc,
-			config.BindPort,
-			config.BetaBindPort,
-			config.DNS.Port,
-			data.PortHTTPS,
-			data.PortDNSOverTLS,
-			data.PortDNSOverQUIC,
-			data.PortDNSCrypt,
+			tcpPort(config.BindPort),
+			tcpPort(config.BetaBindPort),
+			udpPort(config.DNS.Port),
+			tcpPort(data.PortHTTPS),
+			tcpPort(data.PortDNSOverTLS),
+			udpPort(data.PortDNSOverQUIC),
+			tcpPort(data.PortDNSCrypt),
 		)
 
 		err = uc.Validate(aghalg.IntIsBefore)