Releases: DNSCrypt/dnscrypt-proxy
Releases · DNSCrypt/dnscrypt-proxy
Release 2.1.5
- dnscrypt-proxy can be compiled with Go 1.21.0+
- Responses to blocked queries now include extended error codes
- Reliability of connections using HTTP/3 has been improved
- New configuration directive:
tls_key_log_file
. When defined, this is the path to a file where TLS secret keys will be written to, so that DoH traffic can be locally inspected.
Release 2.1.4
Version 2.1.4
- Fixes a regression from version 2.1.3: when cloaking was enabled, blocked responses were returned for records that were not
A/AAAA/PTR
even for names not in the cloaked list.
Release 2.1.3
Version 2.1.3
- DNS-over-HTTP/3 (QUIC) should be more reliable. In particular, version 2.1.2 required another (non-QUIC) resolver to be present for bootstrapping, or the resolver's IP address to be present in the stamp. This is not the case any more.
- dnscrypt-proxy is now compatible with Go 1.20+
- Commands (-check, -show-certs, -list, -list-all) now ignore log files and directly output the result to the standard output.
- The
cert_ignore_timestamp
configuration switch is now documented. It allows ignoring timestamps for DNSCrypt certificate verification, until a first server is available. This should only be used on devices that don't have any ways to set the clock before DNS service is up. However, a safer alternative remains to use an NTP server with a fixed IP address (such as time.google.com), configured in the captive portals file. - Cloaking: when a name is cloaked, unsupported record types now return a blocked response rather than the actual records.
- systemd: report Ready earlier as dnscrypt-proxy can itself manage retries for updates/refreshes.
Release 2.1.2
- Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added. Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP.
- In previous versions, memory usage kept growing due to channels not being properly closed, causing goroutines to pile up. This was fixed,
resulting in an important reduction of memory usage. Thanks to @lifenjoiner for investigating and fixing this! - DNS64:
CNAME
records are now translated like other responses. Thanks to @ignoramous for this! - A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error. Thanks to @lifenjoiner!
- Mutexes/locking: bug fixes and improvements, by @ignoramous - Official packages now include linux/riscv64 builds.
dnscrypt-proxy -resolve
now reports if ECS (EDNS-clientsubnet) is supported by the server.dnscrypt-proxy -list
now includes ODoH (Oblivious DoH) servers.- Local DoH: queries made using the
GET
method are now handled. - The service can now be installed on OpenRC-based systems.
PTR
queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!
Release 2.1.1
This is a bugfix only release, addressing regressions introduced in version 2.1.0:
- When using DoH, cached responses were not served any more when experiencing connectivity issues. This has been fixed.
- Time attributes in allow/block lists were ignored. This has been fixed.
- The TTL as served to clients is now rounded and starts decreasing before the first query is received.
- Time-based rules are properly handled again in generate-domains-blocklist.
- DoH/ODoH: entries with an IP address and using a non-standard port used to require help from a bootstrap resolver. This is not the case any more.
Release 2.1.0
Version 2.1.0
dnscrypt-proxy
now includes support for Oblivious DoH.- If the proxy is overloaded, cached and synthetic queries now keep being served, while non-cached queries are delayed.
- A deprecation warning was added for
fallback_resolvers
. - Source URLs are now randomized.
- On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
fallback_resolvers
was renamed tobootstrap_resolvers
for clarity. Please update your configuration file accordingly.
2.0.46-beta3
Version 2.0.46 (not released yet, may become 2.1.0)
beta 3:
- Add support for the final version of the Oblivious DoH specification.
beta 2:
- Relays are now mandatory for ODoH servers.
- Routes with
server_name = '*'
now correctly handle both relay types. - A deprecation warning was added for
fallback_resolvers
.
beta 1:
- Source URLs are now randomized.
- On some platforms, redirecting the application log to a file was not
compatible with user switching; this has been fixed. fallback_resolvers
was renamed tobootstrap_resolvers
for
clarity. Please update your configuration file accordingly.- Preliminary support for ODoH (Oblivious DoH) was added. Thanks to
Chris Wood for his help on this!
2.0.46-beta2
Version 2.0.46 (not released yet, may become 2.1.0)
beta 2:
- Relays are now mandatory for ODoH servers.
- Routes with
server_name = '*'
now correctly handle both relay types. - A deprecation warning was added for
fallback_resolvers
.
beta 1:
- Source URLs are now randomized.
- On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
fallback_resolvers
was renamed tobootstrap_resolvers
for clarity. Please update your configuration file accordingly.- Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!
2.0.46-beta1
Version 2.0.46-beta1
- Source URLs are now randomized.
- On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
fallback_resolvers
was renamed tobootstrap_resolvers
for clarity. Please update your configuration file accordingly.- Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!
2.0.45
- Configuration changes (to be required in versions 2.1.x):
[blacklist]
has been renamed to[blocked_names]
[ip_blacklist]
has been renamed to[blocked_ips]
[whitelist]
has been renamed to[allowed_names]
generate-domains-blacklist.py
has been renamed togenerate-domains-blocklist.py
, and the configuration files have been renamed as well.
dnscrypt-proxy -resolve
has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of thednscrypt-proxy
server by default. Sending queries to arbitrary servers is also supported with the new-resolve name,address
syntax.- Relay lists can be set to
*
for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks. - Lying resolvers are detected and reported.
- New return code:
NOT_READY
for queries received before the proxy has been initialized. - Server lists can't be older than a week any more, even if directory permissions are incorrect and cache files cannot be written.
- macOS/arm64 is now officially supported.
- New feature:
allowed_ips
, to configure a set of IP addresses to never block no matter what DNS name resolves to them. - Hard-coded IP addresses can be immediately returned for test queries sent by operating systems in order to check for connectivity and captive portals. Such responses can be sent even before an interface is considered as enabled by the operating system. This can be configured in a new section called
[captive_portals]
. - On Linux, OpenBSD and FreeBSD,
listen_addresses
can now include IP addresses that haven't been assigned to an interface yet. - The logo has been tweaked to look fine on a dark background.
generate-domains-blocklist.py
: regular expressions are now ignored in time-based entries.- Minor bug fixes and logging improvements.
- Cloaking plugin: if an entry has multiple IP addresses for a type, all the IP addresses are now returned instead of a random one.
- Static entries can now include DNSCrypt relays.
- Name blocking: aliases relying on
SVCB
andHTTPS
records can now be blocked in addition to aliases via regularCNAME
records. - EDNS-Client-Subnet information can be added to outgoing queries. Instead of sending the actual client IP, ECS information is user
configurable, and IP addresses will be randomly chosen for every query. - Initial DoH queries are now checked using random names in order to properly measure CDNs such as Tencent that ignore the padding.
- DoH: the
max-stale
cache control directive is now present in queries. - Logs can now be sent to
/dev/stdout
instead of actual files. - User switching is now supported on macOS.
- New download mirror (https://download.dnscrypt.net) for resolvers, relays and parental-control.
Thanks to the nice people who contributed to this release:
- Ian Bashford
- Will Elwood
- Alison Winters
- Krish De Souza
- @hugepants
- @IceCodeNew
- @lifenjoiner
- @mibere
- @jacob755
- @petercooperjr
- @yofiji