The summer is finally here 😎. And with it comes a new version of AdGuard Home!
DNS-over-QUIC: RFC 9250
The long-awaited DNS-over-QUIC protocol has finally graduated from a draft to being a real standard, RFC 9250. In this release, we add support for the final version of the standard in a backwards-compatible way.
More Control Over Upstreams
You can now specify an upstream for all subdomains of a domain while excluding the domain itself. For example, if you want queries for server-1.example.com
to be resolved by DNS server 1.1.1.1
, but leave example.com
to be resolved by your default upstream (in this example, 94.140.14.14
), use:
94.140.14.14
[/*.example.com/]1.1.1.1
Speaking of upstreams. Now you don't have to remember precise IP addresses of plain DNS upstreams. As long as your bootstrap servers can resolve them, you can use the new udp://
upstream address scheme to resolve upstreams' addresses automatically:
udp://one.one.one.one # Same as 1.1.1.1.
Other Notable Changes
-
Users now have more control over how runtime client information is gathered, including the ability to completely disable this feature.
-
The EDNS Client Subnet information from clients' requests is now shown on the Query log page.
-
As usual, we strive to keep our tools up-to-date in order to make sure that our users don't fall prey to vulnerabilities.
-
There are many more smaller changes and fixes; just look at the full changelog below!
Acknowledgements
A special thanks to our open-source contributor, @Lanius-collaris, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!
Full Changelog
Security
-
Go version was updated to prevent the possibility of exploiting the CVE-2022-29526, CVE-2022-30634, CVE-2022-30629, CVE-2022-30580, and CVE-2022-29804 vulnerabilities.
-
Enforced password strength policy (#3503).
Added
-
Support for the final DNS-over-QUIC standard, RFC 9250 (#4592).
-
Support upstreams for subdomains of a domain only (#4503).
-
The ability to control each source of runtime clients separately via
clients.runtime_sources
configuration object (#3020). -
The ability to customize the set of networks that are considered private through the new
dns.private_networks
property in the configuration file (#3142). -
EDNS Client-Subnet information in the request details section of a query log record (#3978).
-
Support for hostnames for plain UDP upstream servers using the
udp://
scheme (#4166). -
Logs are now collected by default on FreeBSD and OpenBSD when AdGuard Home is installed as a service (#4213).
Changed
-
On OpenBSD, the daemon script now uses the recommended
/bin/ksh
shell instead of the/bin/sh
one (#4533). To apply this change, backup your data and runAdGuardHome -s uninstall && AdGuardHome -s install
. -
The default DNS-over-QUIC port number is now
853
instead of754
in accordance with RFC 9250 (#4276). -
Reverse DNS now has a greater priority as the source of runtime clients' information than ARP neighborhood.
-
Improved detection of runtime clients through more resilient ARP processing (#3597).
-
The TTL of responses served from the optimistic cache is now lowered to 10 seconds.
-
Domain-specific private reverse DNS upstream servers are now validated to allow only
*.in-addr.arpa
and*.ip6.arpa
domains pointing to locally-served networks (#3381). Note: If you already have invalid entries in your configuration, consider removing them manually, since they essentially had no effect. -
Response filtering is now performed using the record types of the answer section of messages as opposed to the type of the question (#4238).
-
Instead of adding the build time information, the build scripts now use the standardized environment variable
SOURCE_DATE_EPOCH
to add the date of the commit from which the binary was built (#4221). This should simplify reproducible builds for package maintainers and those who compile their own AdGuard Home. -
The property
local_domain_name
is now in thedhcp
object in the configuration file to avoid confusion (#3367). -
The
dns.bogus_nxdomain
property in the configuration file now supports CIDR notation alongside IP addresses (#1730).
Configuration Changes
In this release, the schema version has changed from 12 to 14.
-
Object
clients
, which in schema versions 13 and earlier was an array of actual persistent clients, is now consist ofpersistent
andruntime_sources
properties:# BEFORE: 'clients': - name: client-name # … # AFTER: 'clients': 'persistent': - name: client-name # … 'runtime_sources': whois: true arp: true rdns: true dhcp: true hosts: true
The value for
clients.runtime_sources.rdns
field is taken fromdns.resolve_clients
property. To rollback this change, remove theruntime_sources
property, move the contents ofpersistent
into theclients
itself, the value ofclients.runtime_sources.rdns
into thedns.resolve_clients
, and change theschema_version
back to13
. -
Property
local_domain_name
, which in schema versions 12 and earlier used to be a part of thedns
object, is now a part of thedhcp
object:# BEFORE: 'dns': # … 'local_domain_name': 'lan' # AFTER: 'dhcp': # … 'local_domain_name': 'lan'
To rollback this change, move the property back into the
dns
object and change theschema_version
back to12
.
Deprecated
- The
--no-etc-hosts
option. Its functionality is now controlled byclients.runtime_sources.hosts
configuration property. v0.109.0 will remove the flag completely.
Fixed
-
Query log occasionally going into an infinite loop (#4591).
-
Service startup on boot on systems using SysV-init (#4480).
-
Detection of the stopped service status on macOS and Linux (#4273).
-
Case-sensitive ClientID (#4542).
-
Slow version update queries making other HTTP APIs unresponsive (#4499).
-
ARP tables refreshing process causing excessive PTR requests (#3157).