AdguardTeam/AdGuardHome v0.107.7

AdGuard Home v0.107.7

on GitHub

The summer is finally here 😎. And with it comes a new version of AdGuard Home!

DNS-over-QUIC: RFC 9250

The long-awaited DNS-over-QUIC protocol has finally graduated from a draft to being a real standard, RFC 9250. In this release, we add support for the final version of the standard in a backwards-compatible way.

More Control Over Upstreams

You can now specify an upstream for all subdomains of a domain while excluding the domain itself. For example, if you want queries for server-1.example.com to be resolved by DNS server 1.1.1.1, but leave example.com to be resolved by your default upstream (in this example, 94.140.14.14), use:

94.140.14.14
[/*.example.com/]1.1.1.1

Speaking of upstreams. Now you don't have to remember precise IP addresses of plain DNS upstreams. As long as your bootstrap servers can resolve them, you can use the new udp:// upstream address scheme to resolve upstreams' addresses automatically:

udp://one.one.one.one # Same as 1.1.1.1.

Other Notable Changes

• Users now have more control over how runtime client information is gathered, including the ability to completely disable this feature.

• The EDNS Client Subnet information from clients' requests is now shown on the Query log page.

• As usual, we strive to keep our tools up-to-date in order to make sure that our users don't fall prey to vulnerabilities.

• There are many more smaller changes and fixes; just look at the full changelog below!

Acknowledgements

A special thanks to our open-source contributor, @Lanius-collaris, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full Changelog

Security

• Go version was updated to prevent the possibility of exploiting the CVE-2022-29526, CVE-2022-30634, CVE-2022-30629, CVE-2022-30580, and CVE-2022-29804 vulnerabilities.

• Enforced password strength policy (#3503).

Added

• Support for the final DNS-over-QUIC standard, RFC 9250 (#4592).

• Support upstreams for subdomains of a domain only (#4503).

• The ability to control each source of runtime clients separately via clients.runtime_sources configuration object (#3020).

• The ability to customize the set of networks that are considered private through the new dns.private_networks property in the configuration file (#3142).

• EDNS Client-Subnet information in the request details section of a query log record (#3978).

• Support for hostnames for plain UDP upstream servers using the udp:// scheme (#4166).

• Logs are now collected by default on FreeBSD and OpenBSD when AdGuard Home is installed as a service (#4213).

Changed

• On OpenBSD, the daemon script now uses the recommended /bin/ksh shell instead of the /bin/sh one (#4533). To apply this change, backup your data and run AdGuardHome -s uninstall && AdGuardHome -s install.

• The default DNS-over-QUIC port number is now 853 instead of 754 in accordance with RFC 9250 (#4276).

• Reverse DNS now has a greater priority as the source of runtime clients' information than ARP neighborhood.

• Improved detection of runtime clients through more resilient ARP processing (#3597).

• The TTL of responses served from the optimistic cache is now lowered to 10 seconds.

• Domain-specific private reverse DNS upstream servers are now validated to allow only *.in-addr.arpa and *.ip6.arpa domains pointing to locally-served networks (#3381). Note: If you already have invalid entries in your configuration, consider removing them manually, since they essentially had no effect.

• Response filtering is now performed using the record types of the answer section of messages as opposed to the type of the question (#4238).

• Instead of adding the build time information, the build scripts now use the standardized environment variable SOURCE_DATE_EPOCH to add the date of the commit from which the binary was built (#4221). This should simplify reproducible builds for package maintainers and those who compile their own AdGuard Home.

• The property local_domain_name is now in the dhcp object in the configuration file to avoid confusion (#3367).

• The dns.bogus_nxdomain property in the configuration file now supports CIDR notation alongside IP addresses (#1730).

Configuration Changes

In this release, the schema version has changed from 12 to 14.

• Object clients, which in schema versions 13 and earlier was an array of actual persistent clients, is now consist of persistent and runtime_sources properties:

  # BEFORE:
  'clients':
  - name: client-name
    # …
  
  # AFTER:
  'clients':
    'persistent':
      - name: client-name
        # …
    'runtime_sources':
      whois: true
      arp: true
      rdns: true
      dhcp: true
      hosts: true

  The value for clients.runtime_sources.rdns field is taken from dns.resolve_clients property. To rollback this change, remove the runtime_sources property, move the contents of persistent into the clients itself, the value of clients.runtime_sources.rdns into the dns.resolve_clients, and change the schema_version back to 13.

• Property local_domain_name, which in schema versions 12 and earlier used to be a part of the dns object, is now a part of the dhcp object:

  # BEFORE:
  'dns':
    # …
    'local_domain_name': 'lan'
  
  # AFTER:
  'dhcp':
    # …
    'local_domain_name': 'lan'

  To rollback this change, move the property back into the dns object and change the schema_version back to 12.

Deprecated

• The --no-etc-hosts option. Its functionality is now controlled by clients.runtime_sources.hosts configuration property. v0.109.0 will remove the flag completely.

Fixed

• Query log occasionally going into an infinite loop (#4591).

• Service startup on boot on systems using SysV-init (#4480).

• Detection of the stopped service status on macOS and Linux (#4273).

• Case-sensitive ClientID (#4542).

• Slow version update queries making other HTTP APIs unresponsive (#4499).

• ARP tables refreshing process causing excessive PTR requests (#3157).