dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
-list
, -list-all
, -show-certs
or -check
command-line switches are used.tls_client_auth
was renamed to doh_client_x509_auth
. A section with the previous name is temporarily ignored if empty, but will error out if not.IceCodeNew
!lifenjoiner
, thanks!generate-domains-blacklists
now tries to deduplicate entries clobbered by wildcard rules. Thanks to Huhni
!generate-domains-blacklists
can now directly write lists to a file with the -o
command-line option.ct
parameter has been removed from DoH queries, as Google doesn't require it any more.log_file_latest
option.tls_client_auth
section was renamed to doh_client_x509_auth
. If you had a tls_client_auth
section in the configuration file, it needs to be updated.dnsdist
load balancer (presumably used by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net, opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more) is preventing queries over 1500 bytes from being received over UDP.
Temporary workarounds have been introduced to improve reliability with these resolvers for regular DNSCrypt. Unfortunately, anonymized DNS cannot be reliable until the issue is fixed server-side.
dnsdist
authors are aware of it and [anonymized_dns]
section: skip_incompatible
, to ignore resolvers incompatible with Anonymized DNS instead of using them without a relay.softfloat
to improve compatibility.fallback_resolvers
option. Note that fallback_resolver
is still supported for backward compatibility).block_undelegated
. When enabled, dnscrypt-proxy
will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.DO
bit is now set in synthetic responses if it was set in a question, and the AD
bit is cleared.miegkg/dns
module was updated to version 1.1.26, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy
, this only affects the forwarding feature.block_undelegated
. When enabled, dnscrypt-proxy
will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.DO
bit is now set in synthetic responses if it was set in a question, and the AD
bit is cleared.miegkg/dns
module was updated to version 1.1.25, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy
, this only affects the forwarding feature.There have also been quite a bit of internal changes, so please report any possible regression!
block_unqualified
to block A
/AAAA
queries with unqualified host names. These will very rarely get an answer from upstream resolvers, but can leak private information to these, as well as to root servers.CNAME
pointer is blocked, the original query name is now logged along with the pointer. This makes it easier to know what the original query name, so it can be whitelisted, or what the pointer was, so it can be removed from the blacklist.