2019-12-16 23:06:41 +01:00
|
|
|
* Version 2.0.36
|
|
|
|
- New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
|
|
|
|
directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
|
|
|
|
and nonexistent zones that should have been kept local, but are frequently
|
|
|
|
leaked. This reduces latency and improves privacy.
|
|
|
|
- Conformance: the `DO` bit is now set in synthetic responses if it was
|
|
|
|
set in a question, and the `AD` bit is cleared.
|
2019-12-21 21:28:07 +01:00
|
|
|
- The `miegkg/dns` module was updated to version 1.1.26, that fixes a
|
2019-12-16 23:06:41 +01:00
|
|
|
security issue affecting non-encrypted/non-authenticated DNS traffic. In
|
|
|
|
`dnscrypt-proxy`, this only affects the forwarding feature.
|
|
|
|
|
2019-12-09 20:56:59 +01:00
|
|
|
* Version 2.0.35
|
2019-12-09 23:57:00 +01:00
|
|
|
- New option: `block_unqualified` to block `A`/`AAAA` queries with
|
2019-12-09 20:56:59 +01:00
|
|
|
unqualified host names. These will very rarely get an answer from upstream
|
|
|
|
resolvers, but can leak private information to these, as well as to root
|
|
|
|
servers.
|
|
|
|
- When a `CNAME` pointer is blocked, the original query name is now logged
|
|
|
|
along with the pointer. This makes it easier to know what the original
|
|
|
|
query name, so it can be whitelisted, or what the pointer was, so it
|
|
|
|
can be removed from the blacklist.
|
|
|
|
|
2019-12-01 17:57:42 +01:00
|
|
|
* Version 2.0.34
|
2019-11-29 00:05:11 +01:00
|
|
|
- Blacklisted names are now also blocked if they appear in `CNAME`
|
|
|
|
pointers.
|
|
|
|
- `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
|
|
|
|
be configured to use it, so that ESNI can be enabled without bypassing
|
|
|
|
your DNS proxy.
|
|
|
|
|
2019-11-18 12:55:04 +01:00
|
|
|
* Version 2.0.33
|
|
|
|
- Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
|
|
|
|
|
2019-11-17 21:25:54 +01:00
|
|
|
* Version 2.0.32
|
|
|
|
- On certificate errors, the server name is now logged instead of the
|
|
|
|
provider name, which is generally more useful.
|
|
|
|
- IP addresses for DoH servers that require DNS lookups are now cached
|
|
|
|
for at least 12 hours.
|
2019-11-17 23:06:34 +01:00
|
|
|
- `ignore_system_dns` is now set to `true` by default.
|
2019-11-17 21:25:54 +01:00
|
|
|
- A workaround for a bug in Cisco servers has been implemented.
|
|
|
|
- A corrupted or incomplete resolvers list is now ignored, keeping the
|
|
|
|
last good known cached list until the next update. In addition, logging was
|
|
|
|
improved and unit tests were also added. Awesome contribution from William
|
|
|
|
Elwood, thanks!
|
|
|
|
- On Windows, the network probe immediately returned instead of blocking
|
2019-11-17 23:07:02 +01:00
|
|
|
if `netprobe_timeout` was set to `-1`. This has been fixed.
|
2019-11-17 21:25:54 +01:00
|
|
|
- Expired cached IP addresses now have a grace period, to avoid breaking the
|
|
|
|
service if they temporarily can't be refreshed.
|
|
|
|
- On Windows, the service now returns immediately, solving a long-standing
|
|
|
|
issue when initialization took more than 30 seconds ("The service did not
|
|
|
|
respond to the start or control request in a timely fashion"). Fantastic
|
|
|
|
work by Alison Winters, thanks!
|
2019-11-17 23:07:49 +01:00
|
|
|
- The `SERVER_ERROR` error code has been split into two new error codes:
|
2019-11-17 22:20:47 +01:00
|
|
|
`NETWORK_ERROR` (self-explanatory) and `SERVFAIL` (a response was returned,
|
|
|
|
but it includes a `SERVFAIL` error code).
|
2019-11-18 01:16:50 +01:00
|
|
|
- Responses are now always compressed.
|
2019-11-17 21:25:54 +01:00
|
|
|
|
2019-10-31 16:42:36 +01:00
|
|
|
* Version 2.0.31
|
2019-10-31 18:12:13 +01:00
|
|
|
- This version fixes two regressions introduced in version 2.0.29:
|
|
|
|
DoH server couldn't be reached over IPv6 any more, and the proxy
|
|
|
|
couldn't be interrupted while servers were being benchmarked.
|
2019-10-31 16:42:36 +01:00
|
|
|
|
2019-10-30 23:02:07 +01:00
|
|
|
* Version 2.0.30
|
|
|
|
- This version fixes a startup issue introduced in version 2.0.29,
|
|
|
|
on systems for which the service cannot be automatically installed
|
|
|
|
(such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam,
|
|
|
|
and fixed by Will Elwood, thanks!
|
|
|
|
|
2019-10-20 15:02:44 +02:00
|
|
|
* Version 2.0.29
|
2019-10-30 23:02:07 +01:00
|
|
|
- Support for Anonymized DNS has been added!
|
|
|
|
- Wait before stopping, fixing an issue with Unbound (thanks to
|
|
|
|
Vladimir Bauer)
|
|
|
|
- DNS stamps are now included in the -list-all -json ouptut
|
|
|
|
- The netprobe_timeout setting from the configuration file or
|
|
|
|
command-line was ignored. This has been fixed.
|
|
|
|
- The TTL or cloaked entries can now be adjusted (thanks to Markus
|
|
|
|
Linnala)
|
|
|
|
- Cached IP address from DoH servers now expire (thanks to Markus
|
|
|
|
Linnala)
|
|
|
|
- DNSCrypt certificates can be fetched over Tor and SOCKS proxies
|
|
|
|
- Retries over TCP are faster
|
|
|
|
- Improved logging (thanks to Alison Winters)
|
|
|
|
- Ignore non-TXT records in certificate responses (thanks to Vladimir
|
|
|
|
Bauer)
|
|
|
|
- A lot of internal cleanups, thanks to Markus Linnala.
|
2019-10-20 15:02:44 +02:00
|
|
|
|
2019-10-12 21:30:47 +02:00
|
|
|
* Version 2.0.28
|
|
|
|
- Invalid server entries are now skipped instead of preventing a
|
|
|
|
source from being used. Thanks to Alison Winters for the contribution!
|
|
|
|
- Truncated responses are immediately retried over TCP instead of
|
|
|
|
waiting for the client to retry. This reduces the latency for large
|
|
|
|
responses.
|
|
|
|
- Responses sent to the local network are assumed to support at least
|
|
|
|
1252 bytes packets, and use optional information from EDNS up to 4096
|
|
|
|
bytes. This also reduces latency.
|
|
|
|
- Logging improvements: servers are not logged for cached, synthetic
|
|
|
|
and cloaked responses. And the forwarder is logged instead of the
|
|
|
|
regular server for forwarded responses.
|
|
|
|
|
2019-09-09 18:12:36 +02:00
|
|
|
* Version 2.0.27
|
|
|
|
- The X25519 implementation was changed from using the Go standard
|
|
|
|
implementation to using Cloudflare's CIRCL library. Unfortunately,
|
|
|
|
CIRCL appears to be broken on big-endian systems. That change has been
|
|
|
|
reverted.
|
2019-09-09 18:46:54 +02:00
|
|
|
- All the dependencies have been updated.
|
2019-09-09 18:12:36 +02:00
|
|
|
|
2019-09-07 14:58:56 +02:00
|
|
|
* Version 2.0.26
|
|
|
|
- A new plugin was added to prevent Firefox from bypassing the system
|
|
|
|
DNS settings.
|
|
|
|
- New configuration parameter to set how to respond to blocked
|
|
|
|
queries: `blocked_query_response`. Responses can now be empty record
|
|
|
|
sets, REFUSED response codes, or predefined IPv4 and/or IPv6 addresses.
|
|
|
|
- The `refused_code_in_responses` and `blocked_query_response` options
|
|
|
|
have been folded into a new `blocked_query_response` option.
|
|
|
|
- The fallback resolver is now accessed using TCP if `force_tcp` has
|
|
|
|
been set to `true`.
|
|
|
|
- CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
|
|
|
|
- New command-line option: `-show-certs` to print DoH certificate
|
|
|
|
hashes.
|
2019-09-07 15:02:09 +02:00
|
|
|
- Solaris packages are now provided.
|
2019-09-07 15:31:34 +02:00
|
|
|
- DoH servers on a non-standard port, with stamps that don't include
|
|
|
|
IP addresses, and without working system resolvers can now be properly
|
|
|
|
bootstrapped.
|
2019-09-07 16:19:47 +02:00
|
|
|
- A new option, `query_meta`, is now available to add optional records
|
|
|
|
to client queries.
|
2019-09-07 14:58:56 +02:00
|
|
|
|
2019-06-04 01:42:02 +02:00
|
|
|
* Version 2.0.25
|
|
|
|
- The example IP address for network probes didn't work on Windows.
|
|
|
|
The example configuration file has been updated and the fallback
|
|
|
|
resolver IP is now used when no netprobe address has been configured.
|
|
|
|
|
2019-06-03 18:31:58 +02:00
|
|
|
* Version 2.0.24
|
|
|
|
- The query log now includes the time it took to complete the
|
|
|
|
transaction, the name of the resolver that sent the response and if
|
|
|
|
the response was served from the cache. Thanks to Ferdinand Holzer for
|
|
|
|
his help!
|
|
|
|
- The list of resolvers, sorted by latency, is now printed after all
|
|
|
|
the resolvers have been probed.
|
|
|
|
- The "fastest" load-balancing strategy has been renamed to "first".
|
|
|
|
- On Windows, a nul byte is sent to the netprobe address. This is
|
|
|
|
required to check for connectivity on this platform. Thanks to Mathias
|
|
|
|
Berchtold.
|
|
|
|
- The Malwaredomainlist URL was updated to directly parse the host
|
|
|
|
list. Thanks to Encrypted.Town.
|
|
|
|
- The Python script to generate lists of blacklisted domains is now
|
|
|
|
compatible both with Python 2 and Python 3. Thanks to Simon R.
|
|
|
|
- A warning is now displayed for DoH is requested but the server
|
|
|
|
doesn't speak HTTP/2.
|
|
|
|
- A crash with loaded-balanced sets of cloaked names was fixed.
|
|
|
|
Thanks to @inkblotadmirer for the report.
|
2019-06-03 18:53:55 +02:00
|
|
|
- Resolvers are now tried in random order to avoid favoring the first
|
|
|
|
ones at startup.
|
2019-06-03 18:31:58 +02:00
|
|
|
|
2019-04-28 23:26:33 +02:00
|
|
|
* Version 2.0.23
|
|
|
|
- Binaries for FreeBSD/armv7 are now available.
|
|
|
|
- .onion servers are now automatically ignored if Tor routing is not
|
|
|
|
enabled.
|
|
|
|
- Caching of server addresses has been improved, especially when
|
|
|
|
using proxies.
|
|
|
|
- DNSCrypt communications are now automatically forced to using TCP
|
|
|
|
when a SOCKS proxy has been set up.
|
|
|
|
|
2019-04-01 08:24:58 +02:00
|
|
|
* Version 2.0.22
|
|
|
|
- The previous version had issues with the .org TLD when used in
|
|
|
|
conjunction with dnsmasq. This has been fixed.
|
|
|
|
|
2019-03-14 20:21:26 +01:00
|
|
|
* Version 2.0.21
|
|
|
|
- The change to run the Windows service as `NT AUTHORITY\NetworkService`
|
|
|
|
has been reverted, as it was reported to break logging (Windows only).
|
|
|
|
|
2019-03-14 02:17:58 +01:00
|
|
|
* Version 2.0.20
|
|
|
|
- Startup is now *way* faster, especially when using DoH servers.
|
2019-03-14 20:21:26 +01:00
|
|
|
- A new action: `CLOAK` is logged when queries are being cloaked.
|
2019-03-14 02:17:58 +01:00
|
|
|
- A cloaking rule can now map to multiple IPv4 and IPv6 addresses,
|
|
|
|
with load-balancing.
|
2019-03-14 20:21:26 +01:00
|
|
|
- New option: `refused_code_in_responses` to return (or not) a
|
|
|
|
`REFUSED` code on blacklisted queries. This is disabled by default, in
|
2019-03-14 02:17:58 +01:00
|
|
|
order to work around a bug in Android Pie.
|
|
|
|
- Time-based restrictions are now properly handled in the
|
|
|
|
generate-domains-blacklist.py script.
|
2019-03-14 20:21:26 +01:00
|
|
|
- Other improvements have been made to the `generate-domains-blacklist.py`
|
2019-03-14 02:17:58 +01:00
|
|
|
script.
|
2019-03-14 20:21:26 +01:00
|
|
|
- The Windows service is now installed as `NT AUTHORITY\NetworkService`.
|
2019-03-14 02:17:58 +01:00
|
|
|
|
2018-11-22 18:16:15 +01:00
|
|
|
* Version 2.0.19
|
|
|
|
- The value for `netprobe_timeout` was read from the command-line, but
|
|
|
|
not from the configuration file any more. This is a regression introduced
|
|
|
|
in the previous version, that has been fixed.
|
|
|
|
- The default value for netprobe timeouts has been raised to 60 seconds.
|
|
|
|
- A hash of the body is added to query parameters when sending DoH
|
|
|
|
queries with the POST method in order to work around badly configured
|
|
|
|
proxies.
|
2018-02-19 18:42:29 +01:00
|
|
|
|
2018-11-15 18:53:06 +01:00
|
|
|
* Version 2.0.18
|
|
|
|
- Official builds now support TLS 1.3.
|
|
|
|
- The timeout for the initial connectivity check can now be set from
|
|
|
|
the command line.
|
|
|
|
- An `Accept:` header is now always sent with `GET` queries.
|
|
|
|
- BOMs are now ignored in configuration files.
|
|
|
|
- In addition to SOCKS, HTTP and HTTPS proxies are now supported for
|
|
|
|
DoH servers.
|
|
|
|
|
2018-10-03 17:28:20 +02:00
|
|
|
* Version 2.0.17
|
|
|
|
- Go >= 1.11 is now supported
|
|
|
|
- The flipside is that Windows XP is not supported any more :(
|
|
|
|
- When dropping privileges, there is no supervisor process any more.
|
|
|
|
- DNS options used to be cleared from DNS queries, with the exception
|
|
|
|
of flags and payload sizes. This is not the case any more.
|
2018-10-03 18:33:10 +02:00
|
|
|
- DoH queries are smaller, since workarounds are not required any more
|
|
|
|
after Google updated their implementation.
|
2018-10-03 17:28:20 +02:00
|
|
|
|
2018-07-09 15:56:50 +02:00
|
|
|
* Version 2.0.16
|
|
|
|
- On Unix-like systems, the server can run as an unprivileged user,
|
|
|
|
and the main process will automatically restart if an error occurs.
|
|
|
|
- pledge() on OpenBSD.
|
|
|
|
- New "offline" mode to serve queries locally without contacting any
|
|
|
|
upstream servers. This can be especially useful along with the
|
|
|
|
cloaking module for local development.
|
|
|
|
- New logo.
|
|
|
|
- TTL of OPT records is properly ignored by the caching module.
|
|
|
|
- The proxy doesn't quit any more if new TCP connections cannot be
|
|
|
|
created.
|
|
|
|
|
2018-06-06 16:14:31 +02:00
|
|
|
* Version 2.0.15
|
|
|
|
- Support for proxies (HTTP/SOCKS) was added. All it takes to route
|
|
|
|
all TCP queries to Tor is add `proxy = "socks5://127.0.0.1:9050"` to
|
|
|
|
the configuration file.
|
|
|
|
- Querylog files have a new record indicating the outcome of each
|
|
|
|
transaction.
|
|
|
|
- Pre-built binaries for Linux are statically linked on all
|
|
|
|
architectures.
|
|
|
|
|
2018-05-19 10:42:56 +02:00
|
|
|
* Version 2.0.14
|
|
|
|
- Supports DNS-over-HTTPS draft 08.
|
|
|
|
- Netprobes don't use port 0 by default, as this causes issues with
|
|
|
|
Little Snitch and FreeBSD.
|
|
|
|
|
2018-05-16 11:41:55 +02:00
|
|
|
* Version 2.0.13
|
|
|
|
- This version fixes a crash when using DoH for queries whose size
|
|
|
|
were a multiple of the block size. Reported by @char101, thanks!
|
|
|
|
|
2018-05-10 22:17:57 +02:00
|
|
|
* Version 2.0.12
|
|
|
|
- Further compatibility fixes for Alpine Linux/i386 and Android/i386
|
|
|
|
have been made. Thanks to @aead for his help!
|
|
|
|
- The proxy will now wait for network connectivity before starting.
|
|
|
|
This is useful if the proxy is automatically started at boot, possibly
|
|
|
|
before the network is fully configured.
|
|
|
|
- The IPv6 blocking module now returns synthetic SOA records to
|
|
|
|
improve compatibility with downstream resolvers and stub resolvers.
|
|
|
|
|
2018-04-27 00:12:20 +02:00
|
|
|
* Version 2.0.11
|
|
|
|
- This release fixes a long-standing bug that caused the proxy to
|
|
|
|
block or crash when Position-Independent Executables were produced.
|
|
|
|
This bug only showed up when compiled on (not for) Alpine Linux and
|
|
|
|
Android, for some CPU architectures.
|
|
|
|
- New configuration settings: cache_neg_min_ttl and
|
|
|
|
cache_neg_max_ttl, to clamp the negative caching TTL.
|
|
|
|
|
2018-04-16 02:25:54 +02:00
|
|
|
* Version 2.0.10
|
|
|
|
- This version fixes a crash when an incomplete size is sent by a
|
|
|
|
local client for a query over TCP.
|
|
|
|
- Slight performance improvement of DNSCrypt on non-Intel CPUs such
|
|
|
|
as Raspberry Pi.
|
|
|
|
|
2018-04-07 23:14:15 +02:00
|
|
|
* Version 2.0.9
|
|
|
|
- Whitelists have been implemented: one a name matches a pattern in
|
|
|
|
the whitelist, rules from the name-based and IP-based blacklists will
|
|
|
|
be bypassed. Whitelists support the same patterns as blacklists, as
|
|
|
|
well as time-based rules, so that some website can be normally
|
|
|
|
blocked, but accessible on specific days or times of the day.
|
|
|
|
- Lists are now faster to load, and large lists require significantly
|
|
|
|
less memory than before.
|
|
|
|
- New options have been added to disable TLS session tickets as well
|
|
|
|
as use a specific cipher suite. See the example configuration file for
|
|
|
|
a recommended configuration to speed up DoH servers on ARM such as
|
|
|
|
Android devices and Raspberry Pi.
|
|
|
|
- The `-service install` command now remembers what the current
|
|
|
|
directory was when the service was installed, in order to later load
|
|
|
|
configuration files with relative paths.
|
|
|
|
- DoH: The "Cache-Control: max-age" header is now ignored.
|
2018-04-09 13:27:02 +02:00
|
|
|
- Patterns can now be prefixed with `=` to do exact matching:
|
|
|
|
`=example.com` matches `example.com` but will not match `www.example.com`.
|
|
|
|
- Patterns are now fully supported by the cloaking module.
|
|
|
|
- A new option was added to use a specific cipher suite instead of
|
|
|
|
the server's provided one. Using RSA+ChaChaPoly over ECDSA+AES-GCM has
|
|
|
|
shown to decrease CPU usage and latency when connecting to Cloudflare,
|
|
|
|
especially on Mips and ARM systems.
|
|
|
|
- The ephemeral keys mode of dnscrypt-proxy v1.x was reimplemented: this
|
|
|
|
creates a new unique key for every single query.
|
2018-04-07 23:14:15 +02:00
|
|
|
|
2018-03-28 14:46:20 +02:00
|
|
|
* Version 2.0.8
|
|
|
|
- Multiple URLs can be defined for a source in order to improve
|
|
|
|
resiliency when servers are temporarily unreachable.
|
|
|
|
- Connections over IPv6 will be preferred over IPv4 for DoH servers
|
|
|
|
when using a fallback resolver if `ipv6_servers` is set.
|
|
|
|
- Improvements have been made to the example systemd configuration
|
|
|
|
files.
|
|
|
|
- The chacha20 implementation was updated to possibly fix a bug on
|
|
|
|
Android/x86.
|
|
|
|
- `generate-domains-blacklist.py` can now parse dnsmasq-style rules.
|
|
|
|
- FreeBSD/arm builds have been added.
|
|
|
|
- `dnscrypt-proxy -list -json` and `-list-all -json` now include the
|
|
|
|
remove servers names and IP addresses.
|
|
|
|
|
2018-03-18 17:21:36 +01:00
|
|
|
* Version 2.0.7
|
|
|
|
- Bug fix: optional ports were not properly parsed with IPv6
|
|
|
|
addresses -- thanks to @bleeee for the report and fix.
|
|
|
|
- Bug fix: truncate TCP queries to the prefixed length.
|
|
|
|
- Certificates are force-refreshed after a time jump (e.g. when a
|
|
|
|
system resumes from hibernation).
|
|
|
|
|
2018-03-02 10:39:02 +01:00
|
|
|
* Version 2.0.6
|
|
|
|
- Automatic log files rotation was finally implemented.
|
|
|
|
- A new -pidfile command-line option to write the PID file was added.
|
|
|
|
|
2018-02-27 09:51:26 +01:00
|
|
|
* Version 2.0.5
|
|
|
|
- Fixes a crash occasionally happening when using DoH servers, with
|
|
|
|
stamps not containing any IP addresses, a DNSSEC-signed name, a
|
|
|
|
non-working system DNS configuration, and a fallback server supporting
|
|
|
|
DNSSEC.
|
|
|
|
|
2018-02-23 17:08:13 +01:00
|
|
|
* Version 2.0.4
|
|
|
|
- Fixes a regression with truncated packets. Thanks to @mazesy and
|
|
|
|
@the-w1nd for spotting a case triggering this!
|
|
|
|
|
2018-02-22 23:55:03 +01:00
|
|
|
* Version 2.0.3
|
|
|
|
- Load balancing: resolvers that respond promptly, but with bogus
|
|
|
|
responses are now gradually removed from the preferred pool.
|
|
|
|
- Due to popular request, Android binaries are now available! Thanks
|
|
|
|
to @sporif for his help on getting these built.
|
2018-02-23 02:18:47 +01:00
|
|
|
- Binaries are built using Go 1.10-final.
|
2018-02-22 23:55:03 +01:00
|
|
|
|
2018-02-21 00:23:11 +01:00
|
|
|
* Version 2.0.2
|
|
|
|
- Properly error out on FreeBSD and other platforms where built-in
|
|
|
|
service installation is not supported yet.
|
|
|
|
- Improved load-balancing algorithm, which should result in lower
|
|
|
|
latency.
|
|
|
|
|
2018-02-19 18:42:29 +01:00
|
|
|
* Version 2.0.1
|
|
|
|
- Cached source data were not redownloaded if the proxy was used
|
|
|
|
without interruption. This has been fixed.
|
2018-02-19 19:26:53 +01:00
|
|
|
- If the network is down at startup time, fall back to cached source
|
|
|
|
data, even if is it out of date, and schedule an immediate update
|
|
|
|
after the networks is back.
|
2018-02-19 18:42:29 +01:00
|
|
|
- RTT estimation for DNS-over-HTTP/2 servers was off. This has been
|
|
|
|
fixed.
|
|
|
|
- The generate-domains-blacklist script now has a configurable
|
|
|
|
timeout value, and can produce time-based rules.
|
|
|
|
- The timeout parameter in the example configuration file didn't had
|
|
|
|
the correct name; this has been fixed.
|
|
|
|
- Cache: TTLs are now decreasing.
|