dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
tls_key_log_file
. When defined, this is the path to a file where TLS secret keys will be written to, so that DoH traffic can be locally inspected.A/AAAA/PTR
even for names not in the cloaked list.cert_ignore_timestamp
configuration switch is now documented. It allows ignoring timestamps for DNSCrypt certificate verification, until a first server is available. This should only be used on devices that don't have any ways to set the clock before DNS service is up. However, a safer alternative remains to use an NTP server with a fixed IP address (such as time.google.com), configured in the captive portals file.CNAME
records are now translated like other responses. Thanks to @ignoramous for this!dnscrypt-proxy -resolve
now reports if ECS (EDNS-clientsubnet) is supported by the server.dnscrypt-proxy -list
now includes ODoH (Oblivious DoH) servers.GET
method are now handled.PTR
queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!This is a bugfix only release, addressing regressions introduced in version 2.1.0:
dnscrypt-proxy
now includes support for Oblivious DoH.fallback_resolvers
.fallback_resolvers
was renamed to bootstrap_resolvers
for clarity. Please update your configuration file accordingly.server_name = '*'
now correctly handle both relay types.fallback_resolvers
.fallback_resolvers
was renamed to bootstrap_resolvers
for
clarity. Please update your configuration file accordingly.server_name = '*'
now correctly handle both relay types.fallback_resolvers
.fallback_resolvers
was renamed to bootstrap_resolvers
for clarity. Please update your configuration file accordingly.fallback_resolvers
was renamed to bootstrap_resolvers
for clarity. Please update your configuration file accordingly.[blacklist]
has been renamed to [blocked_names]
[ip_blacklist]
has been renamed to [blocked_ips]
[whitelist]
has been renamed to [allowed_names]
generate-domains-blacklist.py
has been renamed to generate-domains-blocklist.py
, and the configuration files have been renamed as well.dnscrypt-proxy -resolve
has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of the dnscrypt-proxy
server by default. Sending queries to arbitrary servers is also supported with the new -resolve name,address
syntax.*
for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks.NOT_READY
for queries received before the proxy has been initialized.allowed_ips
, to configure a set of IP addresses to never block no matter what DNS name resolves to them.[captive_portals]
.listen_addresses
can now include IP addresses that haven't been assigned to an interface yet.generate-domains-blocklist.py
: regular expressions are now ignored in time-based entries.SVCB
and HTTPS
records can now be blocked in addition to aliases via regular CNAME
records.max-stale
cache control directive is now present in queries./dev/stdout
instead of actual files.Thanks to the nice people who contributed to this release: