2.0.28

• Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
• Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
• Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
• Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.

2.0.27

• Version 2.0.27

• The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
• All the dependencies have been updated.

2.0.26

• A new plugin was added to prevent Firefox from bypassing the system DNS settings.
• New configuration parameter to set how to respond to blocked queries: blocked_query_response. Responses can now be empty record sets, REFUSED response codes, or predefined IPv4 and/or IPv6 addresses.
• The refused_code_in_responses and blocked_query_response options have been folded into a new blocked_query_response option.
• The fallback resolver is now accessed using TCP if force_tcp has been set to true.
• CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
• New command-line option: -show-certs to print DoH certificate hashes.
• Solaris packages are now provided.
• DoH servers on a non-standard port, with stamps that don't include IP addresses, and without working system resolvers can now be properly bootstrapped.
• A new option, query_meta, is now available to add optional records to client queries.

2.0.25

The example IP address for network probes didn't work on Windows - This is a regression introduced in version 2.0.24.

The example configuration file has been updated and the fallback resolver IP is now used when no netprobe address has been configured.

2.0.24

• The query log now includes the time it took to complete the
  transaction, the name of the resolver that sent the response and if
  the response was served from the cache. Thanks to Ferdinand Holzer for
  his help!
• The list of resolvers, sorted by latency, is now printed after all
  the resolvers have been probed.
• The "fastest" load-balancing strategy has been renamed to "first".
• On Windows, a nul byte is sent to the netprobe address. This is
  required to check for connectivity on this platform. Thanks to Mathias
  Berchtold.
• The Malwaredomainlist URL was updated to directly parse the host
  list. Thanks to Encrypted.Town.
• The Python script to generate lists of blacklisted domains is now
  compatible both with Python 2 and Python 3. Thanks to Simon R.
• A warning is now displayed for DoH is requested but the server
  doesn't speak HTTP/2.
• A crash with loaded-balanced sets of cloaked names was fixed.
  Thanks to @InkblotAdmirer for the report.
• Resolvers are now tried in random order to avoid favoring the first
  ones at startup.

2.0.23

2.0.23

2.0.22

The previous version had issues with the .org TLD when used in conjunction with dnsmasq.

This has been fixed.

2.0.21

The change to run the Windows service as NT AUTHORITY\NetworkService has been reverted, as it was reported to break logging (Windows only).

There are no other changes. If you are running version 2.0.20 on non-Windows platforms, or if you installed the service yourself, upgrading is not necessary.

Oh, and if you know how to switch back to NT AUTHORITY\NetworkService and still have the ability to write log files, your help would be welcome.

2.0.20

• Startup is now way faster, especially when using DoH servers.
• A new action: CLOAK is logged when queries are being cloaked.
• A cloaking rule can now map to multiple IPv4 and IPv6 addresses, with load-balancing.
• New option: refused_code_in_responses to return (or not) a REFUSED code on blacklisted queries. This is disabled by default, in order to work around a bug in Android Pie.
• Time-based restrictions are now properly handled in the generate-domains-blacklist.py script.
• Other improvements have been made to the generate-domains-blacklist.py script.
• The Windows service is now installed as NT AUTHORITY\NetworkService.

2.0.19

• The value for netprobe_timeout was read from the command-line, but not from the configuration file any more. This is a regression introduced in the previous version, that has been fixed.
• The default value for netprobe timeouts has been raised to 60 seconds.
• A hash of the body is added to query parameters when sending DoH queries with the POST method in order to work around badly configured proxies.