Softpedia >Windows >Security >Security Related >DNSCrypt Proxy >  Changelog

DNSCrypt Proxy Changelog

What's new in DNSCrypt Proxy 2.1.5

Aug 11, 2023
  • Dnscrypt-proxy can be compiled with Go 1.21.0+
  • Responses to blocked queries now include extended error codes
  • Reliability of connections using HTTP/3 has been improved
  • New configuration directive: tls_key_log_file. When defined, this is the path to a file where TLS secret keys will be written to, so that DoH traffic can be locally inspected.

New in DNSCrypt Proxy 2.1.4 (Feb 7, 2023)

  • Fixes a regression from version 2.1.3: when cloaking was enabled, blocked responses were returned for records that were not A/AAAA/PTR even for names not in the cloaked list.

New in DNSCrypt Proxy 2.1.3 (Feb 2, 2023)

  • DNS-over-HTTP/3 (QUIC) should be more reliable. In particular, version 2.1.2 required another (non-QUIC) resolver to be present for bootstrapping, or the resolver's IP address to be present in the stamp. This is not the case any more.
  • dnscrypt-proxy is now compatible with Go 1.20+
  • Commands (-check, -show-certs, -list, -list-all) now ignore log files and directly output the result to the standard output.
  • The cert_ignore_timestamp configuration switch is now documented. It allows ignoring timestamps for DNSCrypt certificate verification, until a first server is available. This should only be used on devices that don't have any ways to set the clock before DNS service is up. However, a safer alternative remains to use an NTP server with a fixed IP address (such as time.google.com), configured in the captive portals file.
  • Cloaking: when a name is cloaked, unsupported record types now return a blocked response rather than the actual records.
  • systemd: report Ready earlier as dnscrypt-proxy can itself manage retries for updates/refreshes.

New in DNSCrypt Proxy 2.1.2 (Aug 1, 2022)

  • Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added. Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP.
  • In previous versions, memory usage kept growing due to channels not being properly closed, causing goroutines to pile up. This was fixed,
  • Resulting in an important reduction of memory usage. Thanks to @lifenjoiner for investigating and fixing this!
  • DNS64: CNAME records are now translated like other responses. Thanks to @ignoramous for this!
  • A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error. Thanks to @lifenjoiner!
  • Mutexes/locking: bug fixes and improvements, by @ignoramous - Official packages now include linux/riscv64 builds.
  • Dnscrypt-proxy -resolve now reports if ECS (EDNS-clientsubnet) is supported by the server.
  • Dnscrypt-proxy -list now includes ODoH (Oblivious DoH) servers.
  • Local DoH: queries made using the GET method are now handled.
  • The service can now be installed on OpenRC-based systems.
  • PTR queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!

New in DNSCrypt Proxy 2.1.1 (Sep 27, 2021)

  • This is a bugfix only release, addressing regressions introduced in version 2.1.0:
  • When using DoH, cached responses were not served any more when experiencing connectivity issues. This has been fixed.
  • Time attributes in allow/block lists were ignored. This has been fixed.
  • The TTL as served to clients is now rounded and starts decreasing before the first query is received.
  • Time-based rules are properly handled again in generate-domains-blocklist.
  • DoH/ODoH: entries with an IP address and using a non-standard port used to require help from a bootstrap resolver. This is not the case any more.

New in DNSCrypt Proxy 2.1.0 (Aug 15, 2021)

  • dnscrypt-proxy now includes support for Oblivious DoH.
  • If the proxy is overloaded, cached and synthetic queries now keep being served, while non-cached queries are delayed.
  • A deprecation warning was added for fallback_resolvers.
  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.

New in DNSCrypt Proxy 2.0.46 Beta 3 (Jun 13, 2021)

  • Add support for the final version of the Oblivious DoH specification.

New in DNSCrypt Proxy 2.0.46 Beta 1 (Jun 8, 2021)

  • Source URLs are now randomized.
  • On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
  • fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.
  • Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!

New in DNSCrypt Proxy 2.0.45 (Jan 3, 2021)

  • Configuration changes (to be required in versions 2.1.x):
  • [blacklist] has been renamed to [blocked_names]
  • [ip_blacklist] has been renamed to [blocked_ips]
  • [whitelist] has been renamed to [allowed_names]
  • generate-domains-blacklist.py has been renamed to generate-domains-blocklist.py, and the configuration files have been renamed as well.
  • dnscrypt-proxy -resolve has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of the dnscrypt-proxy server by default. Sending queries to arbitrary servers is also supported with the new -resolve name,address syntax.
  • Relay lists can be set to * for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks.
  • Lying resolvers are detected and reported.
  • New return code: NOT_READY for queries received before the proxy has been initialized.
  • Server lists can't be older than a week any more, even if directory permissions are incorrect and cache files cannot be written.
  • macOS/arm64 is now officially supported.
  • New feature: allowed_ips, to configure a set of IP addresses to never block no matter what DNS name resolves to them.
  • Hard-coded IP addresses can be immediately returned for test queries sent by operating systems in order to check for connectivity and captive portals. Such responses can be sent even before an interface is considered as enabled by the operating system. This can be configured in a new section called [captive_portals].
  • On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses that haven't been assigned to an interface yet.
  • The logo has been tweaked to look fine on a dark background.
  • generate-domains-blocklist.py: regular expressions are now ignored in time-based entries.
  • Minor bug fixes and logging improvements.
  • Cloaking plugin: if an entry has multiple IP addresses for a type, all the IP addresses are now returned instead of a random one.
  • Static entries can now include DNSCrypt relays.
  • Name blocking: aliases relying on SVCB and HTTPS records can now be blocked in addition to aliases via regular CNAME records.
  • EDNS-Client-Subnet information can be added to outgoing queries. Instead of sending the actual client IP, ECS information is user
  • configurable, and IP addresses will be randomly chosen for every query.
  • Initial DoH queries are now checked using random names in order to properly measure CDNs such as Tencent that ignore the padding.
  • DoH: the max-stale cache control directive is now present in queries.
  • Logs can now be sent to /dev/stdout instead of actual files.
  • User switching is now supported on macOS.
  • New download mirror (https://download.dnscrypt.net) for resolvers, relays and parental-control.

New in DNSCrypt Proxy 2.0.44 (Jun 11, 2020)

  • More updates to the set of block lists, thanks again to IceCodeNew.
  • Netprobes and listening sockets are now ignored when the -list, -list-all, -show-certs or -check command-line switches are used.
  • tls_client_auth was renamed to doh_client_x509_auth. A section with the previous name is temporarily ignored if empty, but will error out if not.
  • Unit tests are now working on 32-bit systems. Thanks to Will Elwood and @lifenjoiner.

New in DNSCrypt Proxy 2.0.43 (Jun 9, 2020)

  • Built-in support for DNS64 translation has been implemented. (Contributed by Sergey Smirnov, thanks!)
  • Connections to DoH servers can be authenticated using TLS client certificates (Contributed by Kevin O'Sullivan, thanks!)
  • Multiple stamps are now allowed for a single server in resolvers and relays lists.
  • Android: the time zone for log files is now set to the system time zone.
  • Quite a lot of updates and additions have been made to the example domain block lists. Thanks to IceCodeNew!
  • Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. Contributed by lifenjoiner, thanks!
  • Precompiled macOS binaries are now notarized.
  • generate-domains-blacklists now tries to deduplicate entries clobbered by wildcard rules. Thanks to Huhni!
  • generate-domains-blacklists can now directly write lists to a file with the -o command-line option.
  • cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time.
  • Forwarded queries are now subject to global timeouts, and can be forced to use TCP.
  • The ct parameter has been removed from DoH queries, as Google doesn't require it any more.
  • Service installation is now supported on FreeBSD.
  • When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new log_file_latest option.

New in DNSCrypt Proxy 2.0.42 (Mar 26, 2020)

  • The current versions of the dnsdist load balancer (presumably used by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net, opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more) is preventing queries over 1500 bytes from being received over UDP.
  • Temporary workarounds have been introduced to improve reliability with these resolvers for regular DNSCrypt. Unfortunately, anonymized DNS cannot be reliable until the issue is fixed server-side.
  • dnsdist authors are aware of it and are working on a fix already have a fix.
  • New option in the [anonymized_dns] section: skip_incompatible, to ignore resolvers incompatible with Anonymized DNS instead of using them without a relay.
  • The server latency benchmark is faster while being able to perform more retries if necessary.
  • Continuous integration has been moved to GitHub Actions.

New in DNSCrypt Proxy 2.0.41 (Mar 24, 2020)

  • Precompiled binaries for armv5, armv6 and armv7 are available.
  • The default arm builds were not compatible with older CPUs when compiled with Go 1.14. mips64 binaries are explicitly compiled with softfloat to improve compatibility.
  • Quad9 seems to be only blocking fragmented queries over UDP for some networks. They have been removed from the default list of broken resolvers; runtime detection of support for fragments should now do the job.
  • Runtime detection of support for fragments was actually enabled.

New in DNSCrypt Proxy 2.0.40 (Mar 21, 2020)

  • Servers blocking fragmented queries are now automatically detected.
  • The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
  • TLS client authentication has been added for DoH.
  • The Firefox plugin is now skipped for connections coming from the local DoH server.
  • DoH RTT computation is now more accurate, especially when CDNs are in the middle.
  • The forwarding plugin is now more reliable, and handles retries over TCP.

New in DNSCrypt Proxy 2.0.39 (Jan 31, 2020)

  • The Firefox Local DoH service didn't properly work in version 2.0.38; this has been fixed. Thanks to Simon Brand for the report!

New in DNSCrypt Proxy 2.0.38 (Jan 30, 2020)

  • Entries from lists (forwarding, blacklists, whitelists) now support inline comments.
  • Reliability improvement: queries over UDP are retried after a timeout instead of solely relying on the client.
  • Reliability improvement: during temporary network outages, cached records are now served even if they are stale.
  • Bug fix: SOCKS proxies and DNS relays can be combined.
  • New feature: multiple fallback resolvers are now supported (see the new fallback_resolvers option. Note that fallback_resolver is still supported for backward compatibility).
  • Windows: the service can be installed with a configuration file stored separately from the application.
  • Security (affecting DoH): precompiled binaries of dnscrypt-proxy 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing issue present in previous versions of the compiler.

New in DNSCrypt Proxy 2.0.37 (Jan 30, 2020)

  • Reliability improvement: queries over UDP are retried after a timeout instead of solely relying on the client.
  • Reliability improvement: during temporary network outages, cached records are now served even if they are stale.
  • Bug fix: SOCKS proxies and DNS relays can be combined.
  • New feature: multiple fallback resolvers are now supported (see the new fallback_resolvers option. Note that fallback_resolver is still supported for backward compatibility).
  • Windows: the service can be installed with a configuration file stored separately from the application.
  • Security (affecting DoH): precompiled binaries of dnscrypt-proxy 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing issue present in previous versions of the compiler.

New in DNSCrypt Proxy 2.0.35 (Dec 10, 2019)

  • New option: block_unqualified to block A/AAAA queries with unqualified host names. These will very rarely get an answer from upstream resolvers, but can leak private information to these, as well as to root servers.
  • When a CNAME pointer is blocked, the original query name is now logged along with the pointer. This makes it easier to know what the original query name, so it can be whitelisted, or what the pointer was, so it can be removed from the blacklist.

New in DNSCrypt Proxy 2.0.34 Beta 1 (Nov 29, 2019)

  • Blacklisted names are now also blocked if they appear in CNAME pointers.
  • dnscrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.

New in DNSCrypt Proxy 2.0.33 (Nov 18, 2019)

  • Fixes an issue that caused some valid queries to return PARSE_ERROR.

New in DNSCrypt Proxy 2.0.29 Beta 3 (Oct 23, 2019)

  • Improved logging
  • Added a workaround for DNS servers using a non-standard provider name.

New in DNSCrypt Proxy 2.0.28 (Oct 13, 2019)

  • Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
  • Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
  • Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
  • Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.

New in DNSCrypt Proxy 2.0.27 (Sep 9, 2019)

  • The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
  • All the dependencies have been updated.v

New in DNSCrypt Proxy 2.0.26 (Sep 7, 2019)

  • A new plugin was added to prevent Firefox from bypassing the system DNS settings.
  • New configuration parameter to set how to respond to blocked queries: blocked_query_response. Responses can now be empty record sets, REFUSED response codes, or predefined IPv4 and/or IPv6 addresses.
  • The refused_code_in_responses and blocked_query_response options have been folded into a new blocked_query_response option.
  • The fallback resolver is now accessed using TCP if force_tcp has been set to true.
  • CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
  • New command-line option: -show-certs to print DoH certificate hashes.
  • Solaris packages are now provided.
  • DoH servers on a non-standard port, with stamps that don't include IP addresses, and without working system resolvers can now be properly bootstrapped.
  • A new option, query_meta, is now available to add optional records to client queries.

New in DNSCrypt Proxy 2.0.25 (Jun 4, 2019)

  • The example IP address for network probes didn't work on Windows - This is a regression introduced in version 2.0.24.
  • The example configuration file has been updated and the fallback resolver IP is now used when no netprobe address has been configured.

New in DNSCrypt Proxy 2.0.22 (Apr 1, 2019)

  • The previous version had issues with the .org TLD when used in conjunction with dnsmasq. This has been fixed.

New in DNSCrypt Proxy 2.0.21 (Mar 15, 2019)

  • The change to run the Windows service as NT AUTHORITYNetworkService has been reverted, as it was reported to break logging (Windows only).
  • There are no other changes. If you are running version 2.0.20 on non-Windows platforms, or if you installed the service yourself, upgrading is not necessary.
  • Oh, and if you know how to switch back to NT AUTHORITYNetworkService and still have the ability to write log files, your help would be welcome.

New in DNSCrypt Proxy 2.0.20 (Mar 14, 2019)

  • Startup is now way faster, especially when using DoH servers.
  • A new action: CLOAK is logged when queries are being cloaked.
  • A cloaking rule can now map to multiple IPv4 and IPv6 addresses, with load-balancing.
  • New option: refused_code_in_responses to return (or not) a REFUSED code on blacklisted queries. This is disabled by default, in order to work around a bug in Android Pie.
  • Time-based restrictions are now properly handled in the generate-domains-blacklist.py script.
  • Other improvements have been made to the generate-domains-blacklist.py script.
  • The Windows service is now installed as NT AUTHORITYNetworkService.

New in DNSCrypt Proxy 2.0.19 (Nov 23, 2018)

  • The value for netprobe_timeout was read from the command-line, but not from the configuration file any more. This is a regression introduced in the previous version, that has been fixed.
  • The default value for netprobe timeouts has been raised to 60 seconds.
  • A hash of the body is added to query parameters when sending DoH queries with the POST method in order to work around badly configured proxies.

New in DNSCrypt Proxy 2.0.17 (Oct 4, 2018)

  • Go >= 1.11 is now supported
  • The flipside is that Windows XP is not supported any more :(
  • When dropping privileges, there is no supervisor process any more.
  • DNS options used to be cleared from DNS queries, with the exception of flags and payload sizes. This is not the case any more.
  • Android builds use a newer NDK, and add compatibility with API 19.
  • DoH queries are smaller, since workarounds are not required any more after Google updated their implementation.

New in DNSCrypt Proxy 2.0.15 (Jun 6, 2018)

  • Support for proxies (HTTP/SOCKS) was added. All it takes to route all TCP queries to Tor is add proxy = "socks5://127.0.0.1:9050" to the configuration file.
  • Querylog files have a new record indicating the outcome of each transaction.
  • Pre-built binaries for Linux are statically linked on all architectures.

New in DNSCrypt Proxy 2.0.14 (May 21, 2018)

  • Supports DNS-over-HTTPS draft 08.
  • Netprobes don't use port 0 by default, as this causes issues with Little Snitch and FreeBSD.

New in DNSCrypt Proxy 2.0.12 (May 11, 2018)

  • Further compatibility fixes for Alpine Linux/i386 and Android/i386 have been made. Thanks to @aead for his help!
  • The proxy will now wait for network connectivity before starting. This is useful if the proxy is automatically started at boot, possibly before the network is fully configured.
  • The IPv6 blocking module now returns synthetic SOA records to improve compatibility with downstream resolvers and stub resolvers.