[1.67.0] - 2026-06-08
- ADDED: Encrypted DNS (DoH) for a set - a set's DNS tab can now send its name lookups over an encrypted DNS-over-HTTPS connection instead of to a plain DNS server's IP. Some services only work when looked up through a specific resolver (for example
xbox-dns.rufor sites that say "not available in your country"), and some providers tamper with ordinary DNS - encrypted DNS gets around both. Switch the set between "Plain DNS" and "DNS-over-HTTPS", then pick a server from the built-in list or paste your own address. Only that set's lookups are affected, so the rest of your DNS stays as it is. - ADDED: Target a set to IPv4 or IPv6 only - a set can now be limited to only IPv4 or only IPv6 traffic, alongside the existing domain, IP, and TLS-version targeting. Some networks handle IPv4 and IPv6 differently, so the settings that work for a site over one can differ over the other. You can now make one set for a site over IPv4 and a separate set for the same site over IPv6, each with its own options. Discovery can also search for a working setup specifically over IPv4 or IPv6 and saves the result limited to that version. The default is "Any" (both), and the choice only appears when both IPv4 and IPv6 are turned on in Settings.
- FIXED: Sending a set's traffic to a proxy didn't work while bypass options were on - when a set was set to route its traffic through an upstream proxy (or the Telegram bridge), b4 still tried to apply its DPI-bypass tricks to that same traffic, which fought with the routing and the connection failed to open. b4 now hands routed traffic straight to the proxy, so routing works even with the bypass options left enabled - and routed connections still show up on the Traffic page.
- FIXED: RST protection did nothing on sets that also used SYN-based bypass - if a set combined "RST protection" with certain TCP bypass techniques, the protection was silently inactive because those connections weren't being tracked, so the site still got reset. RST protection now works in that combination. It also blocks the matching fake reset aimed at the destination server, not only the one aimed at your device.
- FIXED: Dummy network interfaces were missing from the interface lists - a dummy interface (for example
dummy0) did not appear in Settings, so it could not be picked for monitoring or NAT masquerade. Any dummy interface that is up now shows up in both lists. - FIXED: Telegram desktop kept reconnecting every 30-60 seconds over the Telegram bridge - a background keep-alive added in 1.66.0 to hold idle connections open actually sent a signal Telegram's servers rejected, so the connection dropped and rebuilt itself about twice a minute (you would see parts of the Telegram window flicker). That keep-alive has been removed, so connections stay healthy on their own again.
- FIXED: Monitoring a site could add it to a blocking set and break it - if you monitored a site (for example
youtube.com) and also ran a set that blocks or routes traffic - such as an ad-blocking set built from a category likecategory-ads-all- the watchdog could mistake that set for the one that owns your site, because the block list happened to contain a sub-domain of it (for exampleads.youtube.com). When the site dipped and the watchdog tried to repair it, it added the site to that block/routing set, so the site got blocked instead of restored. The watchdog now only repairs sets that list the site by name, and never touches a set that has Routing turned on, so monitoring can no longer poison a blocking or routing set. Note: if an earlier version already added the monitored site to such a set, remove it there by hand once.
What's Changed
- fix: exclude dummy interfaces from system interfaces list and ensure … by @DanielLavrushin in #244
- Doh set feature by @DanielLavrushin in #245
Full Changelog: v1.66.0...v1.67.0