Minor Release
This contains new features, significant performance improvements, and bug fixes.
Security
-
Upgraded quic-go to v0.59.1 to address CVE-2026-40898
-
Rejected oversized upstream DNS responses on the DoH, DoH3, and DoQ paths — these previously used
io.ReadAllon attacker-controlled responses before enforcing any protocol-level limit, allowing a malicious or compromised upstream to force unbounded buffering. Bodies are now capped atdns.MaxMsgSize(and non-200 DoH error bodies are bounded as well) -
Validated DNS-over-QUIC response framing (RFC 9250) — the resolver previously assumed at least two bytes were present and could panic on truncated or malicious replies; the length prefix is now validated and framing failures retire the connection from the pool
-
Rate-limited PIN attempts on the control socket to provide defense-in-depth against brute-force if an attacker gains socket access
-
Switched temp file creation to
os.CreateTempfor symlink-safe writes, preventing symlink attacks on systems withoutfs.protected_symlinks(e.g. embedded routers) -
Switched
internal/router/dnsmasqtotext/templateinstead ofhtml/template, since the generated config is plain text
Improved
-
Shared a single QUIC transport and UDP socket across DoQ dials so parallel dial and reconnect churn no longer allocate a socket per attempt or leak sockets; the query stream's send side is now closed before reading the response per RFC 9250 §4.2
-
Updated the Docker base image to bookworm
Fixed
-
Refreshed macOS VPN DNS after pf stabilization
-
Allowed intercept fallback for the default listener
-
Flushed pf states after a forced DNS intercept reload