diff --git a/group_vars/mirrors/misc.yml b/group_vars/mirrors/misc.yml
index e64ea812b9f6e4a5830e61ae2e1377856c4f58bf..de398e896a650071dc640d0fbdb9d166be97402b 100644
--- a/group_vars/mirrors/misc.yml
+++ b/group_vars/mirrors/misc.yml
@@ -3,3 +3,5 @@ archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
 tcp_wmem: "10240 87380 33554432"
+
+nginx_enable_http3: true
diff --git a/roles/geo_dns/templates/geo.yml.j2 b/roles/geo_dns/templates/geo.yml.j2
index 35274725078371c81638dce2bedb57a1863eb874..eb95d4de266e1164ba0c2df3da7bdb3feb82312c 100644
--- a/roles/geo_dns/templates/geo.yml.j2
+++ b/roles/geo_dns/templates/geo.yml.j2
@@ -24,6 +24,17 @@ domains:
               AAAA "ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
               {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
               {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
+        - lua:
+            ttl: 300
+            content: >
+              HTTPS "'1 . alpn=h2,h3 ipv4hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv4_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1] ..
+              ' ipv6hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1]"
       _acme-challenge.{{ domain }}:
         - ns: {{ geo_acme_dns_challenge_ns }}
   {% endfor %}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 7b0cd029f6d5ea9891461b8521dfa724ef95acab..fe578ebf05ac8fd0d701ccd35b7cade5efc41457 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -119,6 +119,7 @@ locals {
       server_type = "cx22"
       domain      = "mirror"
       zone        = hetznerdns_zone.pkgbuild.id
+      http3       = true
     }
     "monitoring.archlinux.org" = {
       server_type = "cx32"
@@ -281,6 +282,7 @@ locals {
     rsync = {
       ipv4_address = "168.119.141.106"
       ipv6_address = "2a01:4f8:251:598::"
+      http3        = true
     }
     runner1 = {
       ipv4_address = "138.199.19.15"
@@ -355,38 +357,47 @@ locals {
     "america.mirror" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "america.archive" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "asia.mirror" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "asia.archive" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "europe.mirror" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "europe.archive" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "london.mirror" = {
       ipv4_address = "185.73.44.89"
       ipv6_address = "2001:ba8:0:4030::2"
+      http3        = true
     }
     "seoul.mirror" = {
       ipv4_address = "145.40.87.75"
       ipv6_address = "2604:1380:11:2600::1"
+      http3        = true
     }
     "sydney.mirror" = {
       ipv4_address = "147.75.48.159"
       ipv6_address = "2604:1380:40f1:6a00::1"
+      http3        = true
     }
     repro2 = {
       ipv4_address = "212.102.38.209"