We took our sweet time with this update, but you'll most certainly find it to be worth the wait. The changelog contains three absolute 💥bangers and a laundry list of lesser changes.
🕵️♂️ Client ID support for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS (#1387)
This feature would be really useful to those of you who run an encrypted DNS resolver on a public server. In short, you can now identify your devices not just by their IP address (which is, frankly, not too useful in a public server scenario 🤷♀️), but by using a special "Client ID".
Here's how it works:
- First, you add a client and specify an arbitrary string as its "Identifier", for instance,
my-iphone
. - On the client device you can now configure:
DNS-over-HTTPS
:https://example.org/dns-query/my-iphone
DNS-over-TLS
:tls://my-iphone.example.org
(requires a Wildcard certificate)DNS-over-QUIC
:quic://my-iphone.example.org
(requires a Wildcard certificate)
- Queries and stats are now properly attributed to your device.
🔐 AdGuard as a DNSCrypt-resolver (#1361)
DNSCrypt was the very first DNS encryption protocol that got some traction. It may not be as popular as DoH/DoT/DoQ now, but it is still viable. Moreover, performance-wise DNSCrypt is better than any of them. And now that v0.105.0 is out, AdGuard Home can be configured to work as a DNSCrypt resolver!
However, here goes the tricky part. We haven't yet exposed these settings to the Web admin panel so if you want to have DNSCrypt, you'll need to follow this instruction and do it via editing the configuration file (AdGuardHome.yaml
). Not that it would scare you off, would it? 🤓
Regarding DNSCrypt clients - AdGuard for Android, Windows and iOS support it, Mac will get its support pretty soon. Besides that, here is a long list of client software that supports it as well.
🆎 $dnsrewrite
and $dnstype
modifiers (#2102 #2337)
AdGuard Home now supports two more powerful rule modifiers that will help blocklists' maintainers.
-
$dnstype
lets you narrow down the rule scope and apply it only to queries of a specific type(s). For instance, Apple devices now supportHTTPS
DNS query type. While being generally a good thing, this new type may sometimes be harmful😲. By using$dnstype
you can block it completely using a simple rule like this:$dnstype=HTTPS
-
$dnsrewrite
is another powerful modifier that allows you to modify DNS responses. Note that this modifier is much more powerful compared to something like a hosts file.Here are some examples:
||example.org^$dnsrewrite=SERVFAIL;;
- returnSERVFAIL
forexample.org
and all it's subdomains|test.example.org^$dnsrewrite=NOERROR;TXT;hello_world
- add aTXT
record fortest.example.org
|example.org^$dnsrewrite=example.com
- redirectexample.org
toexample.com
|example.org^$dnsrewrite=1.1.1.1
- redirectexample.org
toexample.com
- You can find more examples in the documentation.
Added
- Added more services to the "Blocked services" list (#2224, #2401).
ipset
subdomain matching, just likednsmasq
does (#2179).- The host checking API and the query logs API can now return multiple matched rules (#2102).
- Detecting of network interface configured to have static IP address via
/etc/network/interfaces
(#2302). - A 5 second wait period until a DHCP server's network interface gets an IP address (#2304).
- HTTP API request body size limit (#2305).
Changed
Access-Control-Allow-Origin
is now only set to the same origin as the domain, but with an HTTP scheme as opposed to*
(#2484).workDir
now supports symlinks.- Stopped mounting together the directories
/opt/adguardhome/conf
and/opt/adguardhome/work
in our Docker images (#2589). - When
dns.bogus_nxdomain
option is used, the server will now transform responses if there is at least one bogus address instead of all of them (#2394). The new behavior is the same as indnsmasq
. - Post-updating relaunch possibility is now determined OS-dependently (#2231, #2391).
- Made the mobileconfig HTTP API more robust and predictable, add parameters and improve error response (#2358).
- Improved HTTP requests handling and timeouts (#2343).
- Our snap package now uses the
core20
image as its base (#2306). - New build system and various internal improvements (#2271, #2276, #2297, #2509, #2552, #2639, #2646).
Deprecated
- Go 1.14 support. v0.106.0 will require at least Go 1.15 to build.
- The
darwin/386
port. It will be removed in v0.106.0. - The
"rule"
and"filter_id"
fields inGET /filtering/check_host
and
GET /querylog
responses. They will be removed in v0.106.0 (#2102).
Fixed
- Autoupdate bug in the Darwin (macOS) version (#2630).
- Unnecessary conversions from
string
tonet.IP
, and vice versa (#2508). - Inability to set DNS cache TTL limits (#2459).
- Possible freezes on slower machines (#2225).
- A mitigation against records being shown in the wrong order on the query log page (#2293).
- A JSON parsing error in query log (#2345).
- Incorrect detection of the IPv6 address of an interface as well as another infinite loop in the
/dhcp/find_active_dhcp
HTTP API (#2355).
Removed
- The undocumented ability to use hostnames as any of
bind_host
values in the configuration. Documentation requires them to be valid IP addresses, and now the implementation makes sure that that is the case (#2508). Dockerfile
(#2276). Replaced with the scriptscripts/make/build-docker.sh
which usesscripts/make/Dockerfile
.- Support for pre-v0.99.3 format of query logs (#2102).