Skip to content

Releases: DNSCrypt/dnscrypt-proxy

Release 2.1.2

01 Aug 16:11
2.1.2
Compare
Choose a tag to compare
  • Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added. Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP.
  • In previous versions, memory usage kept growing due to channels not being properly closed, causing goroutines to pile up. This was fixed,
    resulting in an important reduction of memory usage. Thanks to @lifenjoiner for investigating and fixing this!
  • DNS64: CNAME records are now translated like other responses. Thanks to @ignoramous for this!
  • A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error. Thanks to @lifenjoiner!
  • Mutexes/locking: bug fixes and improvements, by @ignoramous - Official packages now include linux/riscv64 builds.
  • dnscrypt-proxy -resolve now reports if ECS (EDNS-clientsubnet) is supported by the server.
  • dnscrypt-proxy -list now includes ODoH (Oblivious DoH) servers.
  • Local DoH: queries made using the GET method are now handled.
  • The service can now be installed on OpenRC-based systems.
  • PTR queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!

Release 2.1.1

27 Sep 16:32
2.1.1
Compare
Choose a tag to compare

This is a bugfix only release, addressing regressions introduced in version 2.1.0:

  • When using DoH, cached responses were not served any more when experiencing connectivity issues. This has been fixed.
  • Time attributes in allow/block lists were ignored. This has been fixed.
  • The TTL as served to clients is now rounded and starts decreasing before the first query is received.
  • Time-based rules are properly handled again in generate-domains-blocklist.
  • DoH/ODoH: entries with an IP address and using a non-standard port used to require help from a bootstrap resolver. This is not the case any more.

Release 2.1.0

14 Aug 13:46
2.1.0
Compare
Choose a tag to compare

Version 2.1.0

  • dnscrypt-proxy now includes support for Oblivious DoH.
  • If the proxy is overloaded, cached and synthetic queries now keep being served, while non-cached queries are delayed.
  • A deprecation warning was added for fallback_resolvers.
  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.

2.0.46-beta3

12 Jun 12:51
2.0.46-beta3
Compare
Choose a tag to compare

Version 2.0.46 (not released yet, may become 2.1.0)

beta 3:

  • Add support for the final version of the Oblivious DoH specification.

beta 2:

  • Relays are now mandatory for ODoH servers.
  • Routes with server_name = '*' now correctly handle both relay types.
  • A deprecation warning was added for fallback_resolvers.

beta 1:

  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not
    compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for
    clarity. Please update your configuration file accordingly.
  • Preliminary support for ODoH (Oblivious DoH) was added. Thanks to
    Chris Wood for his help on this!

2.0.46-beta2

08 Jun 09:17
2.0.46-beta2
Compare
Choose a tag to compare

Version 2.0.46 (not released yet, may become 2.1.0)

beta 2:

  • Relays are now mandatory for ODoH servers.
  • Routes with server_name = '*' now correctly handle both relay types.
  • A deprecation warning was added for fallback_resolvers.

beta 1:

  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.
  • Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!

2.0.46-beta1

07 Jun 16:58
2.0.46-beta1
Compare
Choose a tag to compare
2.0.46-beta1 Pre-release
Pre-release

Version 2.0.46-beta1

  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.
  • Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!

2.0.45

03 Jan 17:38
2.0.45
Compare
Choose a tag to compare
  • Configuration changes (to be required in versions 2.1.x):
    • [blacklist] has been renamed to [blocked_names]
    • [ip_blacklist] has been renamed to [blocked_ips]
    • [whitelist] has been renamed to [allowed_names]
    • generate-domains-blacklist.py has been renamed to generate-domains-blocklist.py, and the configuration files have been renamed as well.
  • dnscrypt-proxy -resolve has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of the dnscrypt-proxy server by default. Sending queries to arbitrary servers is also supported with the new -resolve name,address syntax.
  • Relay lists can be set to * for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks.
  • Lying resolvers are detected and reported.
  • New return code: NOT_READY for queries received before the proxy has been initialized.
  • Server lists can't be older than a week any more, even if directory permissions are incorrect and cache files cannot be written.
  • macOS/arm64 is now officially supported.
  • New feature: allowed_ips, to configure a set of IP addresses to never block no matter what DNS name resolves to them.
  • Hard-coded IP addresses can be immediately returned for test queries sent by operating systems in order to check for connectivity and captive portals. Such responses can be sent even before an interface is considered as enabled by the operating system. This can be configured in a new section called [captive_portals].
  • On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses that haven't been assigned to an interface yet.
  • The logo has been tweaked to look fine on a dark background.
  • generate-domains-blocklist.py: regular expressions are now ignored in time-based entries.
  • Minor bug fixes and logging improvements.
  • Cloaking plugin: if an entry has multiple IP addresses for a type, all the IP addresses are now returned instead of a random one.
  • Static entries can now include DNSCrypt relays.
  • Name blocking: aliases relying on SVCB and HTTPS records can now be blocked in addition to aliases via regular CNAME records.
  • EDNS-Client-Subnet information can be added to outgoing queries. Instead of sending the actual client IP, ECS information is user
    configurable, and IP addresses will be randomly chosen for every query.
  • Initial DoH queries are now checked using random names in order to properly measure CDNs such as Tencent that ignore the padding.
  • DoH: the max-stale cache control directive is now present in queries.
  • Logs can now be sent to /dev/stdout instead of actual files.
  • User switching is now supported on macOS.
  • New download mirror (https://download.dnscrypt.net) for resolvers, relays and parental-control.

Thanks to the nice people who contributed to this release:

2.0.44

11 Jun 19:00
2.0.44
Compare
Choose a tag to compare
  • More updates to the set of block lists, thanks again to IceCodeNew.
  • Netprobes and listening sockets are now ignored when the -list, -list-all, -show-certs or -check command-line switches are used.
  • tls_client_auth was renamed to doh_client_x509_auth. A section with the previous name is temporarily ignored if empty, but will error out if not.
  • Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.

2.0.43

09 Jun 10:24
2.0.43
Compare
Choose a tag to compare
  • Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
  • Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
  • Multiple stamps are now allowed for a single server in resolvers and relays lists.
  • Android: the time zone for log files is now set to the system time zone.
  • Quite a lot of updates and additions have been made to the example domain block lists. Thanks to IceCodeNew!
  • Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by lifenjoiner, thanks!
  • Precompiled macOS binaries are now notarized.
  • generate-domains-blacklists now tries to deduplicate entries clobbered by wildcard rules. Thanks to Huhni!
  • generate-domains-blacklists can now directly write lists to a file with the -o command-line option.
  • cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
  • Forwarded queries are now subject to global timeouts, and can be forced to use TCP.
  • The ct parameter has been removed from DoH queries, as Google doesn't require it any more.
  • Service installation is now supported on FreeBSD.
  • When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new log_file_latest option.
  • Breaking change: the tls_client_auth section was renamed to doh_client_x509_auth. If you had a tls_client_auth section in the configuration file, it needs to be updated.

2.0.42

26 Mar 17:48
2.0.42
Compare
Choose a tag to compare
  • The current versions of the dnsdist load balancer (presumably used by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net, opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more) is preventing queries over 1500 bytes from being received over UDP.
    Temporary workarounds have been introduced to improve reliability with these resolvers for regular DNSCrypt. Unfortunately, anonymized DNS cannot be reliable until the issue is fixed server-side.
    dnsdist authors are aware of it and are working on a fix already have a fix.
  • New option in the [anonymized_dns] section: skip_incompatible, to ignore resolvers incompatible with Anonymized DNS instead of using them without a relay.
  • The server latency benchmark is faster while being able to perform more retries if necessary.
  • Continuous integration has been moved to GitHub Actions.