Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 40 million developers.Sign up
Preliminary support for anonymized DNS is here!
- Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
- Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
- Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
- Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.
- Version 2.0.27
- The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
- All the dependencies have been updated.
- A new plugin was added to prevent Firefox from bypassing the system DNS settings.
- New configuration parameter to set how to respond to blocked queries:
blocked_query_response. Responses can now be empty record sets,
REFUSEDresponse codes, or predefined IPv4 and/or IPv6 addresses.
blocked_query_responseoptions have been folded into a new
- The fallback resolver is now accessed using TCP if
force_tcphas been set to
- CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
- New command-line option:
-show-certsto print DoH certificate hashes.
- Solaris packages are now provided.
- DoH servers on a non-standard port, with stamps that don't include IP addresses, and without working system resolvers can now be properly bootstrapped.
- A new option,
query_meta, is now available to add optional records to client queries.
The example IP address for network probes didn't work on Windows - This is a regression introduced in version 2.0.24.
The example configuration file has been updated and the fallback resolver IP is now used when no netprobe address has been configured.
- The query log now includes the time it took to complete the
transaction, the name of the resolver that sent the response and if
the response was served from the cache. Thanks to Ferdinand Holzer for
- The list of resolvers, sorted by latency, is now printed after all
the resolvers have been probed.
- The "fastest" load-balancing strategy has been renamed to "first".
- On Windows, a nul byte is sent to the netprobe address. This is
required to check for connectivity on this platform. Thanks to Mathias
- The Malwaredomainlist URL was updated to directly parse the host
list. Thanks to Encrypted.Town.
- The Python script to generate lists of blacklisted domains is now
compatible both with Python 2 and Python 3. Thanks to Simon R.
- A warning is now displayed for DoH is requested but the server
doesn't speak HTTP/2.
- A crash with loaded-balanced sets of cloaked names was fixed.
Thanks to @InkblotAdmirer for the report.
- Resolvers are now tried in random order to avoid favoring the first
ones at startup.
The previous version had issues with the
.org TLD when used in conjunction with dnsmasq.
This has been fixed.
The change to run the Windows service as
NT AUTHORITY\NetworkService has been reverted, as it was reported to break logging (Windows only).
There are no other changes. If you are running version 2.0.20 on non-Windows platforms, or if you installed the service yourself, upgrading is not necessary.
Oh, and if you know how to switch back to
NT AUTHORITY\NetworkService and still have the ability to write log files, your help would be welcome.
- Startup is now way faster, especially when using DoH servers.
- A new action:
CLOAKis logged when queries are being cloaked.
- A cloaking rule can now map to multiple IPv4 and IPv6 addresses, with load-balancing.
- New option:
refused_code_in_responsesto return (or not) a
REFUSEDcode on blacklisted queries. This is disabled by default, in order to work around a bug in Android Pie.
- Time-based restrictions are now properly handled in the
- Other improvements have been made to the
- The Windows service is now installed as