badguardhome/CHANGELOG.md

39 KiB

AdGuard Home Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Security

  • Enforced password strength policy (#3503).
  • Weaker cipher suites that use the CBC (cipher block chaining) mode of operation have been disabled (#2993).

Added

  • The ability to customize the set of networks that are considered private through the new dns.private_networks property in the configuration file (#3142).
  • EDNS Client-Subnet information in the request details section of a query log record (#3978).
  • Support for hostnames for plain UDP upstream servers using the udp:// scheme (#4166).
  • Logs are now collected by default on FreeBSD and OpenBSD when AdGuard Home is installed as a service (#4213).
  • windows/arm64 support (#3057).

Changed

  • The default DNS-over-QUIC port number is now 853 instead of 754 in accordance with the latest RFC draft (#4276).
  • Reverse DNS now has a greater priority as the source of runtime clients' information than ARP neighborhood.
  • Improved detection of runtime clients through more resilient ARP processing (#3597).
  • The TTL of responses served from the optimistic cache is now lowered to 10 seconds.
  • Domain-specific private reverse DNS upstream servers are now validated to allow only *.in-addr.arpa and *.ip6.arpa domains pointing to locally-served networks (#3381). Note: If you already have invalid entries in your configuration, consider removing them manually, since they essentially had no effect.
  • Response filtering is now performed using the record types of the answer section of messages as opposed to the type of the question (#4238).
  • Instead of adding the build time information, the build scripts now use the standardized environment variable SOURCE_DATE_EPOCH to add the date of the commit from which the binary was built (#4221). This should simplify reproducible builds for package maintainers and those who compile their own AdGuard Home.
  • The property local_domain_name is now in the dhcp object in the configuration file to avoid confusion (#3367).
  • The dns.bogus_nxdomain property in the configuration file now supports CIDR notation alongside IP addresses (#1730).

Configuration Changes

In this release, the schema version has changed from 12 to 13.

  • Property local_domain_name, which in schema versions 12 and earlier used to be a part of the dns object, is now a part of the dhcp object:

    # BEFORE:
    'dns':
      # …
      'local_domain_name': 'lan'
    
    # AFTER:
    'dhcp':
      # …
      'local_domain_name': 'lan'
    

    To rollback this change, move the property back into the dns object and change the schema_version back to 12.

Deprecated

  • Go 1.17 support. v0.109.0 will require at least Go 1.18 to build.

v0.107.6 - 2022-04-13

See also the v0.107.6 GitHub milestone.

Security

Added

  • Support for SVCB/HTTPS parameter dohpath in filtering rules with the dnsrewrite modifier according to the RFC draft (#4463).

Changed

  • Filtering rules with the dnsrewrite modifier that create SVCB or HTTPS responses should use ech instead of echconfig to conform with the latest drafts.

Deprecated

  • SVCB/HTTPS parameter name echconfig in filtering rules with the dnsrewrite modifier. Use ech instead. v0.109.0 will remove support for the outdated name echconfig.
  • Obsolete --no-mem-optimization option (#4437). v0.109.0 will remove the flag completely.

Fixed

  • I/O timeout errors when checking for the presence of another DHCP server.
  • Network interfaces being incorrectly labeled as down during installation.
  • Rules for blocking the QQ service (#3717).

Removed

  • Go 1.16 support, since that branch of the Go compiler has reached end of life and doesn't receive security updates anymore.

v0.107.5 - 2022-03-04

This is a security update. There is no GitHub milestone, since no GitHub issues were resolved.

Security

  • Go version was updated to prevent the possibility of exploiting the CVE-2022-24921 vulnerability.

v0.107.4 - 2022-03-01

See also the v0.107.4 GitHub milestone.

Security

Fixed

  • Optimistic cache now responds with expired items even if those can't be resolved again (#4254).
  • Unnecessarily complex hosts-related logic leading to infinite recursion in some cases (#4216).

v0.107.3 - 2022-01-25

See also the v0.107.3 GitHub milestone.

Added

  • Support for a dnsrewrite modifier with an empty NOERROR response (#4133).

Fixed

  • Wrong set of ports checked for duplicates during the initial setup (#4095).
  • Incorrectly invalidated service domains (#4120).
  • Poor testing of domain-specific upstream servers (#4074).
  • Omitted aliases of hosts specified by another line within the OS's hosts file (#4079).

v0.107.2 - 2021-12-29

See also the v0.107.2 GitHub milestone.

Fixed

  • Infinite loops when TCP connections time out (#4042).

v0.107.1 - 2021-12-29

See also the v0.107.1 GitHub milestone.

Changed

  • The validation error message for duplicated allow- and blocklists in DNS settings now shows the duplicated elements (#3975).

Fixed

  • ipset initialization bugs (#4027).
  • Legacy DNS rewrites from a wildcard pattern to a subdomain (#4016).
  • Service not being stopped before running the uninstall service action (#3868).
  • Broken reload service action on FreeBSD.
  • Legacy DNS rewrites responding from upstream when a request other than A or AAAA is received (#4008).
  • Panic on port availability check during installation (#3987).
  • Incorrect application of rules from the OS's hosts files (#3998).

v0.107.0 - 2021-12-21

See also the v0.107.0 GitHub milestone.

Added

  • Upstream server information for responses from cache (#3772). Note that old log entries concerning cached responses won't include that information.
  • Finnish and Ukrainian translations.
  • Setting the timeout for IP address pinging in the "Fastest IP address" mode through the new fastest_timeout field in the configuration file (#1992).
  • Static IP address detection on FreeBSD (#3289).
  • Optimistic cache (#2145).
  • New possible value of 6h for querylog_interval property (#2504).
  • Blocking access using ClientIDs (#2624, #3162).
  • source directives support in /etc/network/interfaces on Linux (#3257).
  • RFC 9000 support in QUIC.
  • Completely disabling statistics by setting the statistics interval to zero (#2141).
  • The ability to completely purge DHCP leases (#1691).
  • Settable timeouts for querying the upstream servers (#2280).
  • Configuration file properties to change group and user ID on startup on Unix (#2763).
  • Experimental OpenBSD support for AMD64 and 64-bit ARM CPUs (#2439, #3225, #3226).
  • Support for custom port in DNS-over-HTTPS profiles for Apple's devices (#3172).
  • darwin/arm64 support (#2443).
  • freebsd/arm64 support (#2441).
  • Output of the default addresses of the upstreams used for resolving PTRs for private addresses (#3136).
  • Detection and handling of recurrent PTR requests for locally-served addresses (#3185).
  • The ability to completely disable reverse DNS resolving of IPs from locally-served networks (#3184).
  • New flag --local-frontend to serve dynamically changeable frontend files from disk as opposed to the ones that were compiled into the binary.

Changed

  • Port bindings are now checked for uniqueness (#3835).
  • The DNSSEC check now simply checks against the AD flag in the response (#3904).
  • Client objects in the configuration file are now sorted (#3933).
  • Responses from cache are now labeled (#3772).
  • Better error message for ED25519 private keys, which are not widely supported (#3737).
  • Cache now follows RFC more closely for negative answers (#3707).
  • dnsrewrite rules and other DNS rewrites will now be applied even when the protection is disabled (#1558).
  • DHCP gateway address, subnet mask, IP address range, and leases validations (#3529).
  • The systemd service script will now create the /var/log directory when it doesn't exist (#3579).
  • Items in allowed clients, disallowed clients, and blocked hosts lists are now required to be unique (#3419).
  • The TLS private key previously saved as a string isn't shown in API responses anymore (#1898).
  • Better OpenWrt detection (#3435).
  • DNS-over-HTTPS queries that come from HTTP proxies in the trusted_proxies list now use the real IP address of the client instead of the address of the proxy (#2799).
  • Clients who are blocked by access settings now receive a REFUSED response when a protocol other than DNS-over-UDP and DNSCrypt is used.
  • dns.querylog_interval property is now formatted in hours.
  • Query log search now supports internationalized domains (#3012).
  • Internationalized domains are now shown decoded in the query log with the original encoded version shown in request details (#3013).
  • When /etc/hosts-type rules have several IPs for one host, all IPs are now returned instead of only the first one (#1381).
  • Property rlimit_nofile is now in the os object of the configuration file, together with the new group and user properties (#2763).
  • Permissions on filter files are now 0o644 instead of 0o600 (#3198).

Configuration Changes

In this release, the schema version has changed from 10 to 12.

  • Property dns.querylog_interval, which in schema versions 11 and earlier used to be an integer number of days, is now a string with a human-readable duration:

    # BEFORE:
    'dns':
      # …
      'querylog_interval': 90
    
    # AFTER:
    'dns':
      # …
      'querylog_interval': '2160h'
    

    To rollback this change, convert the property back into days and change the schema_version back to 11.

  • Property rlimit_nofile, which in schema versions 10 and earlier used to be on the top level, is now moved to the new os object:

    # BEFORE:
    'rlimit_nofile': 42
    
    # AFTER:
    'os':
      'group': ''
      'rlimit_nofile': 42
      'user': ''
    

    To rollback this change, move the property on the top level and change the schema_version back to 10.

Deprecated

  • Go 1.16 support. v0.108.0 will require at least Go 1.17 to build.

Fixed

  • EDNS0 TCP keepalive option handling (#3778).
  • Rules with the denyallow modifier applying to IP addresses when they shouldn't (#3175).
  • The length of the EDNS0 client subnet option appearing too long for some upstream servers (#3887).
  • Invalid redirection to the HTTPS web interface after saving enabled encryption settings (#3558).
  • Incomplete propagation of the client's IP anonymization setting to the statistics (#3890).
  • Incorrect results with the dnsrewrite modifier for entries from the operating system's hosts file (#3815).
  • Matching against rules with | at the end of the domain name (#3371).
  • Incorrect assignment of explicitly configured DHCP options (#3744).
  • Occasional panic during shutdown (#3655).
  • Addition of IPs into only one as opposed to all matching ipsets on Linux (#3638).
  • Removal of temporary filter files (#3567).
  • Panic when an upstream server responds with an empty question section (#3551).
  • 9GAG blocking (#3564).
  • DHCP now follows RFCs more closely when it comes to response sending and option selection (#3443, #3538).
  • Occasional panics when reading old statistics databases (#3506).
  • reload service action on macOS and FreeBSD (#3457).
  • Inaccurate using of service actions in the installation script (#3450).
  • ClientID checking (#3437).
  • Discovering other DHCP servers on darwin and freebsd (#3417).
  • Switching listening address to unspecified one when bound to a single specified IPv4 address on Darwin (macOS) (#2807).
  • Incomplete HTTP response for static IP address.
  • DNSCrypt queries weren't appearing in query log (#3372).
  • Wrong IP address for proxied DNS-over-HTTPS queries (#2799).
  • Domain name letter case mismatches in DNS rewrites (#3351).
  • Conflicts between IPv4 and IPv6 DNS rewrites (#3343).
  • Letter case mismatches in CNAME filtering (#3335).
  • Occasional breakages on network errors with DNS-over-HTTP upstreams (#3217).
  • Errors when setting static IP on Linux (#3257).
  • Treatment of domain names and FQDNs in custom rules with the dnsrewrite modifier that use the PTR type (#3256).
  • Redundant hostname generating while loading static leases with empty hostname (#3166).
  • Domain name case in responses (#3194).
  • Custom upstreams selection for clients with ClientIDs in DNS-over-TLS and DNS-over-HTTP (#3186).
  • Incorrect client-based filtering applying logic (#2875).

Removed

  • Go 1.15 support.

v0.106.3 - 2021-05-19

See also the v0.106.3 GitHub milestone.

Added

  • Support for reinstall (-r) and uninstall (-u) flags in the installation script (#2462).
  • Support for DHCP DECLINE and RELEASE message types (#3053).

Changed

  • Add microseconds to log output.

Fixed

  • Intermittent "Warning: ID mismatch" errors ([#3087]).
  • Error when using installation script on some ARMv7 devices (#2542).
  • DHCP leases validation (#3107, #3127).
  • Local PTR request recursion in Docker containers (#3064).
  • Ignoring client-specific filtering settings when filtering is disabled in general settings (#2875).
  • Disallowed domains are now case-insensitive (#3115).

v0.106.2 - 2021-05-06

See also the v0.106.2 GitHub milestone.

Fixed

  • Uniqueness validation for dynamic DHCP leases (#3056).

v0.106.1 - 2021-04-30

See also the v0.106.1 GitHub milestone.

Fixed

  • Local domain name handling when the DHCP server is disabled (#3028).
  • Normalization of previously-saved invalid static DHCP leases (#3027).
  • Validation of IPv6 addresses with zones in system resolvers (#3022).

v0.106.0 - 2021-04-28

See also the v0.106.0 GitHub milestone.

Added

  • The ability to block user for login after configurable number of unsuccessful attempts for configurable time (#2826).
  • denyallow modifier for filters (#2923).
  • Hostname uniqueness validation in the DHCP server (#2952).
  • Hostname generating for DHCP clients which don't provide their own (#2723).
  • New flag --no-etc-hosts to disable client domain name lookups in the operating system's /etc/hosts files (#1947).
  • The ability to set up custom upstreams to resolve PTR queries for local addresses and to disable the automatic resolving of clients' addresses (#2704).
  • Logging of the client's IP address after failed login attempts (#2824).
  • Search by clients' names in the query log (#1273).
  • Verbose version output with -v --version (#2416).
  • The ability to set a custom TLD or domain name for known hosts in the local network (#2393, #2961).
  • The ability to serve DNS queries on multiple hosts and interfaces (#1401).
  • ips and text DHCP server options (#2385).
  • SRV records support in filtering rules with the dnsrewrite modifier (#2533).

Changed

  • Our DoQ implementation is now updated to conform to the latest standard draft (#2843).
  • Quality of logging (#2954).
  • Normalization of hostnames sent by DHCP clients (#2945, #2952).
  • The access to the private hosts is now forbidden for users from external networks (#2889).
  • The reverse lookup for local addresses is now performed via local resolvers (#2704).
  • Stricter validation of the IP addresses of static leases in the DHCP server with regards to the netmask (#2838).
  • Stricter validation of dnsrewrite filtering rule modifier parameters (#2498).
  • New, more correct versioning scheme (#2412).

Deprecated

  • Go 1.15 support. v0.107.0 will require at least Go 1.16 to build.

Fixed

  • Multiple answers for a dnsrewrite rule matching requests with repeating patterns in it (#2981).
  • Root server resolving when custom upstreams for hosts are specified (#2994).
  • Inconsistent resolving of DHCP clients when the DHCP server is disabled (#2934).
  • Comment handling in clients' custom upstreams (#2947).
  • Overwriting of DHCPv4 options when using the HTTP API (#2927).
  • Assumption that MAC addresses always have the length of 6 octets (#2828).
  • Support for more than one /24 subnet in DHCP (#2541).
  • Invalid filenames in the mobileconfig API responses (#2835).

Removed

  • Go 1.14 support.

v0.105.2 - 2021-03-10

Security

  • Session token doesn't contain user's information anymore (#2470).

See also the v0.105.2 GitHub milestone.

Fixed

  • Incomplete hostnames with trailing zero-bytes handling (#2582).
  • Wrong DNS-over-TLS ALPN configuration (#2681).
  • Inconsistent responses for messages with EDNS0 and AD when DNS caching is enabled (#2600).
  • Incomplete OpenWrt detection (#2757).
  • DHCP lease's expired field incorrect time format (#2692).
  • Incomplete DNS upstreams validation (#2674).
  • Wrong parsing of DHCP options of the ip type (#2688).

v0.105.1 - 2021-02-15

See also the v0.105.1 GitHub milestone.

Changed

  • Increased HTTP API timeouts (#2671, #2682).
  • "Permission denied" errors when checking if the machine has a static IP no longer prevent the DHCP server from starting (#2667).
  • The server name sent by clients of TLS APIs is not only checked when strict_sni_check is enabled (#2664).
  • HTTP API request body size limit for the POST /control/access/set and POST /control/filtering/set_rules HTTP APIs is increased (#2666, #2675).

Fixed

  • Error when enabling the DHCP server when AdGuard Home couldn't determine if the machine has a static IP.
  • Optical issue on custom rules (#2641).
  • Occasional crashes during startup.
  • The field "range_start" in the GET /control/dhcp/status HTTP API response is now correctly named again (#2678).
  • DHCPv6 server's ra_slaac_only and ra_allow_slaac properties aren't reset to false on update anymore (#2653).
  • The Vary header is now added along with Access-Control-Allow-Origin to prevent cache-related and other issues in browsers (#2658).
  • The request body size limit is now set for HTTPS requests as well.
  • Incorrect version tag in the Docker release (#2663).
  • DNSCrypt queries weren't marked as such in logs (#2662).

v0.105.0 - 2021-02-10

See also the v0.105.0 GitHub milestone.

Added

  • Added more services to the "Blocked services" list (#2224, #2401).
  • ipset subdomain matching, just like dnsmasq does (#2179).
  • ClientID support for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS (#1383).
  • The new dnsrewrite modifier for filters (#2102).
  • The host checking API and the query logs API can now return multiple matched rules (#2102).
  • Detecting of network interface configured to have static IP address via /etc/network/interfaces (#2302).
  • DNSCrypt protocol support (#1361).
  • A 5 second wait period until a DHCP server's network interface gets an IP address (#2304).
  • dnstype modifier for filters (#2337).
  • HTTP API request body size limit (#2305).

Changed

  • Access-Control-Allow-Origin is now only set to the same origin as the domain, but with an HTTP scheme as opposed to * (#2484).
  • workDir now supports symlinks.
  • Stopped mounting together the directories /opt/adguardhome/conf and /opt/adguardhome/work in our Docker images (#2589).
  • When dns.bogus_nxdomain option is used, the server will now transform responses if there is at least one bogus address instead of all of them (#2394). The new behavior is the same as in dnsmasq.
  • Post-updating relaunch possibility is now determined OS-dependently (#2231, #2391).
  • Made the mobileconfig HTTP API more robust and predictable, add parameters and improve error response (#2358).
  • Improved HTTP requests handling and timeouts (#2343).
  • Our snap package now uses the core20 image as its base (#2306).
  • New build system and various internal improvements (#2271, #2276, #2297, #2509, #2552, #2639, #2646).

Deprecated

  • Go 1.14 support. v0.106.0 will require at least Go 1.15 to build.
  • The darwin/386 port. It will be removed in v0.106.0.
  • The "rule" and "filter_id" fields in GET /filtering/check_host and GET /querylog responses. They will be removed in v0.106.0 (#2102).

Fixed

  • Autoupdate bug in the Darwin (macOS) version (#2630).
  • Unnecessary conversions from string to net.IP, and vice versa (#2508).
  • Inability to set DNS cache TTL limits (#2459).
  • Possible freezes on slower machines (#2225).
  • A mitigation against records being shown in the wrong order on the query log page (#2293).
  • A JSON parsing error in query log (#2345).
  • Incorrect detection of the IPv6 address of an interface as well as another infinite loop in the /dhcp/find_active_dhcp HTTP API (#2355).

Removed

  • The undocumented ability to use hostnames as any of bind_host values in configuration. Documentation requires them to be valid IP addresses, and now the implementation makes sure that that is the case (#2508).
  • Dockerfile (#2276). Replaced with the script scripts/make/build-docker.sh which uses scripts/make/Dockerfile.
  • Support for pre-v0.99.3 format of query logs (#2102).

v0.104.3 - 2020-11-19

See also the v0.104.3 GitHub milestone.

Fixed

  • The accidentally exposed profiler HTTP API (#2336).

v0.104.2 - 2020-11-19

See also the v0.104.2 GitHub milestone.

Added

  • This changelog :-) (#2294).
  • HACKING.md, a guide for developers.

Changed

  • Improved tests output (#2273).

Fixed

  • Query logs from file not loading after the ones buffered in memory (#2325).
  • Unnecessary errors in query logs when switching between log files (#2324).
  • 404 Not Found errors on the DHCP settings page on Windows. The page now correctly shows that DHCP is not currently available on that OS (#2295).
  • Infinite loop in /dhcp/find_active_dhcp (#2301).