Merge in DNS/adguard-home from 3157-excessive-ptrs to master Updates #3157. Squashed commit of the following: commit 6803988240dca2f147bb80a5b3f78d7749d2fa14 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 19 14:50:01 2022 +0300 aghnet: and again commit 1a7f4d1dbc8fd4d3ae620349917526a75fa71b47 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 19 14:49:20 2022 +0300 aghnet: docs again commit d88da1fc7135f3cd03aff10b02d9957c8ffdfd30 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 19 14:47:36 2022 +0300 aghnet: imp docs commit c45dbc7800e882c6c4110aab640c32b03046f89a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 19 14:41:19 2022 +0300 aghnet: keep alphabetical order commit b61781785d096ef43f60fb4f1905a4ed3cdf7c68 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 19 13:50:56 2022 +0300 aghnet: imp code quality commit 578dbd71ed2f2089c69343d7d4bf8bbc29150ace Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 12 17:02:38 2022 +0300 aghnet: imp arp container
39 KiB
AdGuard Home Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Unreleased
Security
- Enforced password strength policy (#3503).
- Weaker cipher suites that use the CBC (cipher block chaining) mode of operation have been disabled (#2993).
Added
- The ability to customize the set of networks that are considered private
through the new
dns.private_networks
property in the configuration file (#3142). - EDNS Client-Subnet information in the request details section of a query log record (#3978).
- Support for hostnames for plain UDP upstream servers using the
udp://
scheme (#4166). - Logs are now collected by default on FreeBSD and OpenBSD when AdGuard Home is installed as a service (#4213).
windows/arm64
support (#3057).
Changed
- The default DNS-over-QUIC port number is now
853
instead of754
in accordance with the latest RFC draft (#4276). - Reverse DNS now has a greater priority as the source of runtime clients' information than ARP neighborhood.
- Improved detection of runtime clients through more resilient ARP processing (#3597).
- The TTL of responses served from the optimistic cache is now lowered to 10 seconds.
- Domain-specific private reverse DNS upstream servers are now validated to
allow only
*.in-addr.arpa
and*.ip6.arpa
domains pointing to locally-served networks (#3381). Note: If you already have invalid entries in your configuration, consider removing them manually, since they essentially had no effect. - Response filtering is now performed using the record types of the answer section of messages as opposed to the type of the question (#4238).
- Instead of adding the build time information, the build scripts now use the
standardized environment variable
SOURCE_DATE_EPOCH
to add the date of the commit from which the binary was built (#4221). This should simplify reproducible builds for package maintainers and those who compile their own AdGuard Home. - The property
local_domain_name
is now in thedhcp
object in the configuration file to avoid confusion (#3367). - The
dns.bogus_nxdomain
property in the configuration file now supports CIDR notation alongside IP addresses (#1730).
Configuration Changes
In this release, the schema version has changed from 12 to 13.
-
Property
local_domain_name
, which in schema versions 12 and earlier used to be a part of thedns
object, is now a part of thedhcp
object:# BEFORE: 'dns': # … 'local_domain_name': 'lan' # AFTER: 'dhcp': # … 'local_domain_name': 'lan'
To rollback this change, move the property back into the
dns
object and change theschema_version
back to12
.
Deprecated
- Go 1.17 support. v0.109.0 will require at least Go 1.18 to build.
Fixed
- ARP tables refreshing process causing excessive PTR requests (#3157).
v0.107.6 - 2022-04-13
See also the v0.107.6 GitHub milestone.
Security
User-Agent
HTTP header removed from outgoing DNS-over-HTTPS requests.- Go version was updated to prevent the possibility of exploiting the CVE-2022-24675, CVE-2022-27536, and CVE-2022-28327 vulnerabilities.
Added
- Support for SVCB/HTTPS parameter
dohpath
in filtering rules with thednsrewrite
modifier according to the RFC draft (#4463).
Changed
- Filtering rules with the
dnsrewrite
modifier that create SVCB or HTTPS responses should useech
instead ofechconfig
to conform with the latest drafts.
Deprecated
- SVCB/HTTPS parameter name
echconfig
in filtering rules with thednsrewrite
modifier. Useech
instead. v0.109.0 will remove support for the outdated nameechconfig
. - Obsolete
--no-mem-optimization
option (#4437). v0.109.0 will remove the flag completely.
Fixed
- I/O timeout errors when checking for the presence of another DHCP server.
- Network interfaces being incorrectly labeled as down during installation.
- Rules for blocking the QQ service (#3717).
Removed
- Go 1.16 support, since that branch of the Go compiler has reached end of life and doesn't receive security updates anymore.
v0.107.5 - 2022-03-04
This is a security update. There is no GitHub milestone, since no GitHub issues were resolved.
Security
- Go version was updated to prevent the possibility of exploiting the CVE-2022-24921 vulnerability.
v0.107.4 - 2022-03-01
See also the v0.107.4 GitHub milestone.
Security
- Go version was updated to prevent the possibility of exploiting the CVE-2022-23806, CVE-2022-23772, and CVE-2022-23773 vulnerabilities.
Fixed
- Optimistic cache now responds with expired items even if those can't be resolved again (#4254).
- Unnecessarily complex hosts-related logic leading to infinite recursion in some cases (#4216).
v0.107.3 - 2022-01-25
See also the v0.107.3 GitHub milestone.
Added
- Support for a
dnsrewrite
modifier with an emptyNOERROR
response (#4133).
Fixed
- Wrong set of ports checked for duplicates during the initial setup (#4095).
- Incorrectly invalidated service domains (#4120).
- Poor testing of domain-specific upstream servers (#4074).
- Omitted aliases of hosts specified by another line within the OS's hosts file (#4079).
v0.107.2 - 2021-12-29
See also the v0.107.2 GitHub milestone.
Fixed
- Infinite loops when TCP connections time out (#4042).
v0.107.1 - 2021-12-29
See also the v0.107.1 GitHub milestone.
Changed
- The validation error message for duplicated allow- and blocklists in DNS settings now shows the duplicated elements (#3975).
Fixed
ipset
initialization bugs (#4027).- Legacy DNS rewrites from a wildcard pattern to a subdomain (#4016).
- Service not being stopped before running the
uninstall
service action (#3868). - Broken
reload
service action on FreeBSD. - Legacy DNS rewrites responding from upstream when a request other than
A
orAAAA
is received (#4008). - Panic on port availability check during installation (#3987).
- Incorrect application of rules from the OS's hosts files (#3998).
v0.107.0 - 2021-12-21
See also the v0.107.0 GitHub milestone.
Added
- Upstream server information for responses from cache (#3772). Note that old log entries concerning cached responses won't include that information.
- Finnish and Ukrainian translations.
- Setting the timeout for IP address pinging in the "Fastest IP address" mode
through the new
fastest_timeout
field in the configuration file (#1992). - Static IP address detection on FreeBSD (#3289).
- Optimistic cache (#2145).
- New possible value of
6h
forquerylog_interval
property (#2504). - Blocking access using ClientIDs (#2624, #3162).
source
directives support in/etc/network/interfaces
on Linux (#3257).- RFC 9000 support in QUIC.
- Completely disabling statistics by setting the statistics interval to zero (#2141).
- The ability to completely purge DHCP leases (#1691).
- Settable timeouts for querying the upstream servers (#2280).
- Configuration file properties to change group and user ID on startup on Unix (#2763).
- Experimental OpenBSD support for AMD64 and 64-bit ARM CPUs (#2439, #3225, #3226).
- Support for custom port in DNS-over-HTTPS profiles for Apple's devices (#3172).
darwin/arm64
support (#2443).freebsd/arm64
support (#2441).- Output of the default addresses of the upstreams used for resolving PTRs for private addresses (#3136).
- Detection and handling of recurrent PTR requests for locally-served addresses (#3185).
- The ability to completely disable reverse DNS resolving of IPs from locally-served networks (#3184).
- New flag
--local-frontend
to serve dynamically changeable frontend files from disk as opposed to the ones that were compiled into the binary.
Changed
- Port bindings are now checked for uniqueness (#3835).
- The DNSSEC check now simply checks against the AD flag in the response (#3904).
- Client objects in the configuration file are now sorted (#3933).
- Responses from cache are now labeled (#3772).
- Better error message for ED25519 private keys, which are not widely supported (#3737).
- Cache now follows RFC more closely for negative answers (#3707).
dnsrewrite
rules and other DNS rewrites will now be applied even when the protection is disabled (#1558).- DHCP gateway address, subnet mask, IP address range, and leases validations (#3529).
- The
systemd
service script will now create the/var/log
directory when it doesn't exist (#3579). - Items in allowed clients, disallowed clients, and blocked hosts lists are now required to be unique (#3419).
- The TLS private key previously saved as a string isn't shown in API responses anymore (#1898).
- Better OpenWrt detection (#3435).
- DNS-over-HTTPS queries that come from HTTP proxies in the
trusted_proxies
list now use the real IP address of the client instead of the address of the proxy (#2799). - Clients who are blocked by access settings now receive a
REFUSED
response when a protocol other than DNS-over-UDP and DNSCrypt is used. dns.querylog_interval
property is now formatted in hours.- Query log search now supports internationalized domains (#3012).
- Internationalized domains are now shown decoded in the query log with the original encoded version shown in request details (#3013).
- When /etc/hosts-type rules have several IPs for one host, all IPs are now returned instead of only the first one (#1381).
- Property
rlimit_nofile
is now in theos
object of the configuration file, together with the newgroup
anduser
properties (#2763). - Permissions on filter files are now
0o644
instead of0o600
(#3198).
Configuration Changes
In this release, the schema version has changed from 10 to 12.
-
Property
dns.querylog_interval
, which in schema versions 11 and earlier used to be an integer number of days, is now a string with a human-readable duration:# BEFORE: 'dns': # … 'querylog_interval': 90 # AFTER: 'dns': # … 'querylog_interval': '2160h'
To rollback this change, convert the property back into days and change the
schema_version
back to11
. -
Property
rlimit_nofile
, which in schema versions 10 and earlier used to be on the top level, is now moved to the newos
object:# BEFORE: 'rlimit_nofile': 42 # AFTER: 'os': 'group': '' 'rlimit_nofile': 42 'user': ''
To rollback this change, move the property on the top level and change the
schema_version
back to10
.
Deprecated
- Go 1.16 support. v0.108.0 will require at least Go 1.17 to build.
Fixed
- EDNS0 TCP keepalive option handling (#3778).
- Rules with the
denyallow
modifier applying to IP addresses when they shouldn't (#3175). - The length of the EDNS0 client subnet option appearing too long for some upstream servers (#3887).
- Invalid redirection to the HTTPS web interface after saving enabled encryption settings (#3558).
- Incomplete propagation of the client's IP anonymization setting to the statistics (#3890).
- Incorrect results with the
dnsrewrite
modifier for entries from the operating system's hosts file (#3815). - Matching against rules with
|
at the end of the domain name (#3371). - Incorrect assignment of explicitly configured DHCP options (#3744).
- Occasional panic during shutdown (#3655).
- Addition of IPs into only one as opposed to all matching ipsets on Linux (#3638).
- Removal of temporary filter files (#3567).
- Panic when an upstream server responds with an empty question section (#3551).
- 9GAG blocking (#3564).
- DHCP now follows RFCs more closely when it comes to response sending and option selection (#3443, #3538).
- Occasional panics when reading old statistics databases (#3506).
reload
service action on macOS and FreeBSD (#3457).- Inaccurate using of service actions in the installation script (#3450).
- ClientID checking (#3437).
- Discovering other DHCP servers on
darwin
andfreebsd
(#3417). - Switching listening address to unspecified one when bound to a single specified IPv4 address on Darwin (macOS) (#2807).
- Incomplete HTTP response for static IP address.
- DNSCrypt queries weren't appearing in query log (#3372).
- Wrong IP address for proxied DNS-over-HTTPS queries (#2799).
- Domain name letter case mismatches in DNS rewrites (#3351).
- Conflicts between IPv4 and IPv6 DNS rewrites (#3343).
- Letter case mismatches in
CNAME
filtering (#3335). - Occasional breakages on network errors with DNS-over-HTTP upstreams (#3217).
- Errors when setting static IP on Linux (#3257).
- Treatment of domain names and FQDNs in custom rules with the
dnsrewrite
modifier that use thePTR
type (#3256). - Redundant hostname generating while loading static leases with empty hostname (#3166).
- Domain name case in responses (#3194).
- Custom upstreams selection for clients with ClientIDs in DNS-over-TLS and DNS-over-HTTP (#3186).
- Incorrect client-based filtering applying logic (#2875).
Removed
- Go 1.15 support.
v0.106.3 - 2021-05-19
See also the v0.106.3 GitHub milestone.
Added
- Support for reinstall (
-r
) and uninstall (-u
) flags in the installation script (#2462). - Support for DHCP
DECLINE
andRELEASE
message types (#3053).
Changed
- Add microseconds to log output.
Fixed
- Intermittent "Warning: ID mismatch" errors ([#3087]).
- Error when using installation script on some ARMv7 devices (#2542).
- DHCP leases validation (#3107, #3127).
- Local PTR request recursion in Docker containers (#3064).
- Ignoring client-specific filtering settings when filtering is disabled in general settings (#2875).
- Disallowed domains are now case-insensitive (#3115).
v0.106.2 - 2021-05-06
See also the v0.106.2 GitHub milestone.
Fixed
- Uniqueness validation for dynamic DHCP leases (#3056).
v0.106.1 - 2021-04-30
See also the v0.106.1 GitHub milestone.
Fixed
- Local domain name handling when the DHCP server is disabled (#3028).
- Normalization of previously-saved invalid static DHCP leases (#3027).
- Validation of IPv6 addresses with zones in system resolvers (#3022).
v0.106.0 - 2021-04-28
See also the v0.106.0 GitHub milestone.
Added
- The ability to block user for login after configurable number of unsuccessful attempts for configurable time (#2826).
denyallow
modifier for filters (#2923).- Hostname uniqueness validation in the DHCP server (#2952).
- Hostname generating for DHCP clients which don't provide their own (#2723).
- New flag
--no-etc-hosts
to disable client domain name lookups in the operating system's /etc/hosts files (#1947). - The ability to set up custom upstreams to resolve PTR queries for local addresses and to disable the automatic resolving of clients' addresses (#2704).
- Logging of the client's IP address after failed login attempts (#2824).
- Search by clients' names in the query log (#1273).
- Verbose version output with
-v --version
(#2416). - The ability to set a custom TLD or domain name for known hosts in the local network (#2393, #2961).
- The ability to serve DNS queries on multiple hosts and interfaces (#1401).
ips
andtext
DHCP server options (#2385).SRV
records support in filtering rules with thednsrewrite
modifier (#2533).
Changed
- Our DoQ implementation is now updated to conform to the latest standard draft (#2843).
- Quality of logging (#2954).
- Normalization of hostnames sent by DHCP clients (#2945, #2952).
- The access to the private hosts is now forbidden for users from external networks (#2889).
- The reverse lookup for local addresses is now performed via local resolvers (#2704).
- Stricter validation of the IP addresses of static leases in the DHCP server with regards to the netmask (#2838).
- Stricter validation of
dnsrewrite
filtering rule modifier parameters (#2498). - New, more correct versioning scheme (#2412).
Deprecated
- Go 1.15 support. v0.107.0 will require at least Go 1.16 to build.
Fixed
- Multiple answers for a
dnsrewrite
rule matching requests with repeating patterns in it (#2981). - Root server resolving when custom upstreams for hosts are specified (#2994).
- Inconsistent resolving of DHCP clients when the DHCP server is disabled (#2934).
- Comment handling in clients' custom upstreams (#2947).
- Overwriting of DHCPv4 options when using the HTTP API (#2927).
- Assumption that MAC addresses always have the length of 6 octets (#2828).
- Support for more than one
/24
subnet in DHCP (#2541). - Invalid filenames in the
mobileconfig
API responses (#2835).
Removed
- Go 1.14 support.
v0.105.2 - 2021-03-10
Security
- Session token doesn't contain user's information anymore (#2470).
See also the v0.105.2 GitHub milestone.
Fixed
- Incomplete hostnames with trailing zero-bytes handling (#2582).
- Wrong DNS-over-TLS ALPN configuration (#2681).
- Inconsistent responses for messages with EDNS0 and AD when DNS caching is enabled (#2600).
- Incomplete OpenWrt detection (#2757).
- DHCP lease's
expired
field incorrect time format (#2692). - Incomplete DNS upstreams validation (#2674).
- Wrong parsing of DHCP options of the
ip
type (#2688).
v0.105.1 - 2021-02-15
See also the v0.105.1 GitHub milestone.
Changed
- Increased HTTP API timeouts (#2671, #2682).
- "Permission denied" errors when checking if the machine has a static IP no longer prevent the DHCP server from starting (#2667).
- The server name sent by clients of TLS APIs is not only checked when
strict_sni_check
is enabled (#2664). - HTTP API request body size limit for the
POST /control/access/set
andPOST /control/filtering/set_rules
HTTP APIs is increased (#2666, #2675).
Fixed
- Error when enabling the DHCP server when AdGuard Home couldn't determine if the machine has a static IP.
- Optical issue on custom rules (#2641).
- Occasional crashes during startup.
- The field
"range_start"
in theGET /control/dhcp/status
HTTP API response is now correctly named again (#2678). - DHCPv6 server's
ra_slaac_only
andra_allow_slaac
properties aren't reset tofalse
on update anymore (#2653). - The
Vary
header is now added along withAccess-Control-Allow-Origin
to prevent cache-related and other issues in browsers (#2658). - The request body size limit is now set for HTTPS requests as well.
- Incorrect version tag in the Docker release (#2663).
- DNSCrypt queries weren't marked as such in logs (#2662).
v0.105.0 - 2021-02-10
See also the v0.105.0 GitHub milestone.
Added
- Added more services to the "Blocked services" list (#2224, #2401).
ipset
subdomain matching, just likednsmasq
does (#2179).- ClientID support for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS (#1383).
- The new
dnsrewrite
modifier for filters (#2102). - The host checking API and the query logs API can now return multiple matched rules (#2102).
- Detecting of network interface configured to have static IP address via
/etc/network/interfaces
(#2302). - DNSCrypt protocol support (#1361).
- A 5 second wait period until a DHCP server's network interface gets an IP address (#2304).
dnstype
modifier for filters (#2337).- HTTP API request body size limit (#2305).
Changed
Access-Control-Allow-Origin
is now only set to the same origin as the domain, but with an HTTP scheme as opposed to*
(#2484).workDir
now supports symlinks.- Stopped mounting together the directories
/opt/adguardhome/conf
and/opt/adguardhome/work
in our Docker images (#2589). - When
dns.bogus_nxdomain
option is used, the server will now transform responses if there is at least one bogus address instead of all of them (#2394). The new behavior is the same as indnsmasq
. - Post-updating relaunch possibility is now determined OS-dependently (#2231, #2391).
- Made the mobileconfig HTTP API more robust and predictable, add parameters and improve error response (#2358).
- Improved HTTP requests handling and timeouts (#2343).
- Our snap package now uses the
core20
image as its base (#2306). - New build system and various internal improvements (#2271, #2276, #2297, #2509, #2552, #2639, #2646).
Deprecated
- Go 1.14 support. v0.106.0 will require at least Go 1.15 to build.
- The
darwin/386
port. It will be removed in v0.106.0. - The
"rule"
and"filter_id"
fields inGET /filtering/check_host
andGET /querylog
responses. They will be removed in v0.106.0 (#2102).
Fixed
- Autoupdate bug in the Darwin (macOS) version (#2630).
- Unnecessary conversions from
string
tonet.IP
, and vice versa (#2508). - Inability to set DNS cache TTL limits (#2459).
- Possible freezes on slower machines (#2225).
- A mitigation against records being shown in the wrong order on the query log page (#2293).
- A JSON parsing error in query log (#2345).
- Incorrect detection of the IPv6 address of an interface as well as another
infinite loop in the
/dhcp/find_active_dhcp
HTTP API (#2355).
Removed
- The undocumented ability to use hostnames as any of
bind_host
values in configuration. Documentation requires them to be valid IP addresses, and now the implementation makes sure that that is the case (#2508). Dockerfile
(#2276). Replaced with the scriptscripts/make/build-docker.sh
which usesscripts/make/Dockerfile
.- Support for pre-v0.99.3 format of query logs (#2102).
v0.104.3 - 2020-11-19
See also the v0.104.3 GitHub milestone.
Fixed
- The accidentally exposed profiler HTTP API (#2336).
v0.104.2 - 2020-11-19
See also the v0.104.2 GitHub milestone.
Added
- This changelog :-) (#2294).
HACKING.md
, a guide for developers.
Changed
- Improved tests output (#2273).
Fixed
- Query logs from file not loading after the ones buffered in memory (#2325).
- Unnecessary errors in query logs when switching between log files (#2324).
404 Not Found
errors on the DHCP settings page on Windows. The page now correctly shows that DHCP is not currently available on that OS (#2295).- Infinite loop in
/dhcp/find_active_dhcp
(#2301).