AdguardTeam/AdGuardHome v0.107.0

AdGuard Home v0.107.0

on GitHub

We've had some big AdGuard Home updates in the past, but this one is to top them all. It's been brewing for almost eight months! 🙀 So no wonder there's heaps upon heaps of new features, improvements, bugfixes, and other changes. We'd better start listing them ASAP, or else we'll be risking missing the New Year's fireworks 🎆 🥂

Native Apple Silicon support

There's no shortage of killer features in this changelog, but this one takes the cake as the biggest of them all, without any doubt. You won't have to resort to Rosetta or any such solutions anymore if you want to configure AdGuard Home on a Mac with a Silicon chip.

RFC 9000 support In DNS-over-QUIC

It's not quite over nine thousand, but it'll do. The IETF has formalized QUIC this year with RFC 9000, and DNS-over-QUIC protocol finally supports it. If you haven't tried DoQ yet, consider this a sign.

$dnsrewrite rules and other DNS rewrites will now be applied even when protection is disabled (#1558)

Another popular demand. This change only makes sense, as DNS rewrites often carry a different purpose than simply blocking ads or trackers. You still can disable them by opening the admin panel, going to Settings → General settings, and removing the check mark from the Block domains using filters and hosts files box.

Note: rules contained in system hosts files (e.g. /etc/hosts) now have higher priority. This may result in more rewrites appearing in your Query log. If some of these rewrites are invalid, remove the corresponding lines from your hosts files or comment them out.

DNS-over-HTTPS queries now use the real IP address of the client instead of the address of the proxy (#2799)

Note that this change concerns only those proxies that you've added to the list of "Trusted proxies", otherwise it would be a major security risk. We wouldn't want anything of that sort to happen to you! 🙅‍♀️ Right now trusted_proxies can only be configured in AdGuardHome.yaml, but that might change in the future.

Optimistic DNS cache (#2145)

To reduce latency you may make AdGuard Home respond from the cache even when the stored entry is expired, while trying to refresh them at the same time🔄 This checkbox is located in Settings → DNS settings → DNS cache configuration and it's not ticked by default. Responses made from DNS cache are marked with a special label in the Query log.

Query log search now supports internationalized domains (#3012)

Internationalized domain names (IDNAs) are domain names that contain symbols in non-Latin script/alphabet, such as яндекс.рф or ουτοπία.δπθ.gr, for example. Previously, they were being converted to Unicode in AG Home Query log (xn--d1abqjx3f.xn--p1ai and xn--kxae4bafwg.xn--pxaix.gr in our examples), which is a detriment in most cases. Now IDNAs are displayed as is, and you can search for them without resorting to Unicode.

Acknowledgements

A special thanks to our open-source contributors: @Aikatsui, @anbraten, @bruvv, @DandelionSprout, @fvdm, @hnefatl, @markhicken, @p27877, and @systemcrash, as well as to everyone who filed and inspected issues, added translations, and helped us test this release! 🙏

Full Changelog

Added

• Upstream server information for responses from cache (#3772). Note that old log entries concerning cached responses won't include that information.
• Finnish and Ukrainian translations.
• Setting the timeout for IP address pinging in the "Fastest IP address" mode through the new fastest_timeout field in the configuration file (#1992).
• Static IP address detection on FreeBSD (#3289).
• Optimistic cache (#2145).
• New possible value of 6h for querylog_interval setting (#2504).
• Blocking access using client IDs (#2624, #3162).
• source directives support in /etc/network/interfaces on Linux (#3257).
• RFC 9000 support in DNS-over-QUIC.
• Completely disabling statistics by setting the statistics interval to zero (#2141).
• The ability to completely purge DHCP leases (#1691).
• Settable timeouts for querying the upstream servers (#2280).
• Configuration file parameters to change group and user ID on startup on Unix (#2763).
• Experimental OpenBSD support for AMD64 and 64-bit ARM CPUs (#2439, #3225, #3226).
• Support for custom port in DNS-over-HTTPS profiles for Apple's devices (#3172).
• darwin/arm64 support (#2443).
• freebsd/arm64 support (#2441).
• Output of the default addresses of the upstreams used for resolving PTRs for private addresses (#3136).
• Detection and handling of recurrent PTR requests for locally-served addresses (#3185).
• The ability to completely disable reverse DNS resolving of IPs from locally-served networks (#3184).
• New flag --local-frontend to serve dynamically changeable frontend files
  from disk as opposed to the ones that were compiled into the binary.

Changed

• Port bindings are now checked for uniqueness (#3835).
• The DNSSEC check now simply checks against the AD flag in the response (#3904).
• Client objects in the configuration file are now sorted (#3933).
• Responses from cache are now labeled (#3772).
• Better error message for ED25519 private keys, which are not widely supported (#3737).
• Cache now follows RFC more closely for negative answers (#3707).
• $dnsrewrite rules and other DNS rewrites will now be applied even when the protection is disabled (#1558).
• DHCP gateway address, subnet mask, IP address range, and leases validations (#3529).
• The systemd service script will now create the /var/log directory when it doesn't exist (#3579).
• Items in allowed clients, disallowed clients, and blocked hosts lists are now required to be unique (#3419).
• The TLS private key previously saved as a string isn't shown in API responses anymore (#1898).
• Better OpenWrt detection (#3435).
• DNS-over-HTTPS queries that come from HTTP proxies in the trusted_proxies list now use the real IP address of the client instead of the address of the proxy (#2799).
• Clients who are blocked by access settings now receive a REFUSED response when a protocol other than DNS-over-UDP and DNSCrypt is used.
• querylog_interval setting is now formatted in hours.
• Query log search now supports internationalized domains (#3012).
• Internationalized domains are now shown decoded in the query log with the original encoded version shown in request details (#3013).
• When /etc/hosts-type rules have several IPs for one host, all IPs are now returned instead of only the first one (#1381).
• The setting rlimit_nofile is now in the os block of the configuration file, together with the new group and user settings (#2763).
• Permissions on filter files are now 0o644 instead of 0o600 (#3198).

Configuration Changes

In this release, the schema version has changed from 10 to 12.

• Parameter dns.querylog_interval, which in schema versions 11 and earlier used to be an integer number of days, is now a string with a human-readable duration:

# BEFORE:
'dns':
    # …
    'querylog_interval': 90

# AFTER:
'dns':
    # …
    'querylog_interval': '2160h'

To rollback this change, convert the parameter back into days and change the schema_version back to 11.

• Parameter rlimit_nofile, which in schema versions 10 and earlier used to be on the top level, is now moved to the new os object:

# BEFORE:
'rlimit_nofile': 42

# AFTER:
'os':
    'group': ''
    'rlimit_nofile': 42
    'user': ''

To rollback this change, move the parameter on the top level and change the schema_version back to 10.

Deprecated

• Go 1.16 support. v0.108.0 will require at least Go 1.17 to build.

Fixed

• EDNS0 TCP keepalive option handling (#3778).
• Rules with the $denyallow modifier applying to IP addresses when they shouldn't (#3175).
• The length of the EDNS0 client subnet option appearing too long for some upstream servers (#3887).
• Invalid redirection to the HTTPS web interface after saving enabled encryption settings (#3558).
• Incomplete propagation of the client's IP anonymization setting to the statistics (#3890).
• Incorrect $dnsrewrite results for entries from the operating system's hosts file (#3815).
• Matching against rules with | at the end of the domain name (#3371).
• Incorrect assignment of explicitly configured DHCP options (#3744).
• Occasional panic during shutdown (#3655).
• Addition of IPs into only one as opposed to all matching ipsets on Linux (#3638).
• Removal of temporary filter files (#3567).
• Panic when an upstream server responds with an empty question section (#3551).
• 9GAG blocking (#3564).
• DHCP now follows RFCs more closely when it comes to response sending and option selection (#3443, #3538).
• Occasional panics when reading old statistics databases (#3506).
• reload service action on macOS and FreeBSD (#3457).
• Inaccurate using of service actions in the installation script (#3450).
• Client ID checking (#3437).
• Discovering other DHCP servers on darwin and freebsd (#3417).
• Switching listening address to unspecified one when bound to a single specified IPv4 address on Darwin (macOS) (#2807).
• Incomplete HTTP response for static IP address.
• DNSCrypt queries weren't appearing in query log (#3372).
• Wrong IP address for proxied DNS-over-HTTPS queries (#2799).
• Domain name letter case mismatches in DNS rewrites (#3351).
• Conflicts between IPv4 and IPv6 DNS rewrites (#3343).
• Letter case mismatches in CNAME filtering (#3335).
• Occasional breakages on network errors with DNS-over-HTTP upstreams (#3217).
• Errors when setting static IP on Linux (#3257).
• Treatment of domain names and FQDNs in custom rules with $dnsrewrite that use the PTR type (#3256).
• Redundant hostname generating while loading static leases with empty hostname (#3166).
• Domain name case in responses (#3194).
• Custom upstreams selection for clients with client IDs in DNS-over-TLS and DNS-over-HTTP (#3186).
• Incorrect client-based filtering applying logic (#2875).

Removed

• Go 1.15 support.