Skip to content

Latest commit

 

History

History
1976 lines (1464 loc) · 50.8 KB

CHANGELOG.md

File metadata and controls

1976 lines (1464 loc) · 50.8 KB

AdGuard DNS changelog

All notable environment, configuration file, and other changes to this project will be documented in this file.

The format is not based on Keep a Changelog, since the project doesn't currently adhere to Semantic Versioning.

AGDNS-2507 / Build 926

  • Profile's file cache version was incremented. The file cache structure has been optimized, so messages like the following are to be expected:

    profiledb: warning: error loading fs cache err="decoding protobuf: proto: cannot parse invalid wire-format data"
    

AGDNS-2327 / Build 916

  • Profile's file cache version was incremented. The new field BlockChromePrefetch has been added to profile's object.

  • The objects within the filtering_groups have a new property, block_chrome_prefetch. So replace this:

    filtering_groups:
    -
        id: default
        #
        block_firefox_canary: true
        block_private_relay: true

    with this:

    filtering_groups:
    -
        id: default
        #
        block_chrome_prefetch: true
        block_firefox_canary: true
        block_private_relay: true

AGDNS-2514 / Build 908

  • The environment variable DNSCHECK_CACHE_KV_SIZE has been added.

  • The property kv.type within the check object now supports the cache value.

AGDNS-2484/ Build 886

  • Property type of the ratelimit object has been moved to the underlying allowlist object. So replace this:

    ratelimit:
        type: 'consul'
        #
        allowlist:
            #

    with this:

    ratelimit:
        #
        allowlist:
            type: 'consul'
            #

AGDNS-2443 / Build 877

  • The object filters has new properties: ede_enabled, and sde_enabled. So replace this:

    filters:
        #

    with this:

    filters:
        #
        ede_enabled: true
        sde_enabled: true

AGDNS-2456 / Build 873

  • The environment variables BACKEND_RATELIMIT_URL and BACKEND_RATELIMIT_API_KEY have been added.

  • Added the type property within the ratelimit object. So add it:

    ratelimit:
        type: 'consul'
        #

AGDNS-2431 / Build 872

  • The objects ratelimit.ipv4 and ratelimit.ipv6 have been modified. Its rps properties have been replaced with the new properties count and interval. So replace this:

    ratelimit:
        #
        ipv4:
            rps: 30
        ipv6:
            rps: 300

    with this:

    ratelimit:
        #
        ipv4:
            #
            count: 300
            interval: 10s
        ipv6:
            #
            count: 3000
            interval: 10s

    Adjust the value and add new ones, if necessary.

AGDNS-2457 / Build 871

  • The environment variables DNSCHECK_REMOTEKV_URL and DNSCHECK_REMOTEKV_API_KEY have been added.

  • The property kv.type within the check object now supports the backend value.

AGDNS-2468 / Build 869

  • The environment variable PROFILES_MAX_RESP_SIZE has been added. It sets the maximum size of the response from the profiles endpoint of the backend API. The default value is 8MB.

AGDNS-2427 / Build 854

  • The environment variables REDIS_ADDR, REDIS_KEY_PREFIX, REDIS_MAX_ACTIVE, REDIS_MAX_IDLE, REDIS_IDLE_TIMEOUT, and REDIS_PORT have been added.

  • The property ttl within the check is replaced by the object kv containing the previous ttl and the new property type. So replace this:

    check:
        #
        ttl: 30s

    with this:

    check:
        kv:
            type: 'consul'
            ttl: 30s
        #

AGDNS-2331 / Build 818

  • Profile's file cache version was incremented. The new field RateLimit has been added to profile's object.

AGDNS-2008 / Build 809

  • The environment variables WEB_STATIC_DIR and WEB_STATIC_DIR_ENABLED have been added. If WEB_STATIC_DIR_ENABLED is set to 1, WEB_STATIC_DIR must point to a directory, from which static files are served. The web.static_content property in the configuration file is also ignored when WEB_STATIC_DIR_ENABLED is set to 1.

AGDNS-2316 / Build 808

  • The environment variables BLOCKED_SERVICE_ENABLED, GENERAL_SAFE_SEARCH_ENABLED, and YOUTUBE_SAFE_SEARCH_ENABLED have been added. If they are set to 0, their corresponding *_URL environment variables can be empty.

AGDNS-2312 / Build 807

  • The environment variables BILLSTAT_URL and PROFILES_URL no longer required if there are no server groups with profiles enabled.

AGDNS-2312 / Build 802

  • The environment variables ADULT_BLOCKING_ENABLED, NEW_REG_DOMAINS_ENABLED, and SAFE_BROWSING_ENABLED have been added. If they are set to 0, their corresponding *_URL environment variables can be empty.

AGDNS-2302 / Build 801

  • The environment variable METRICS_NAMESPACE has been added.

AGDNS-2292 / Build 794

  • The environment variable PROFILES_ENABLED has been removed.

  • The objects within the server_groups array have a new property profiles_enabled. So replace this:

    server_groups:
      - name: 'default'
        #
      - name: 'client'
        #

    with this:

    server_groups:
      - name: 'default'
        #
        profiles_enabled: false
      - name: 'client'
        #
        profiles_enabled: true

AGDNS-2289 / Build 793

  • The environment variable FILTER_INDEX_URL now accepts file:// URIs to use local files as filtering-rule list indexes.

  • All other *_URL environment variables are now validated to be HTTP(s) or gRPC(S) more strictly.

AGDNS-2254 / Build 779

  • The environment variables BILLSTAT_API_KEY and PROFILES_API_KEY have been added.

AGDNS-2172 / Build 776

  • The version of the profile cache file has been incremented.

AGDNS-2048 / Build 750

  • The environment variables RESEARCH_LOGS and RESEARCH_METRICS have been removed.

AGDNS-2022 / Build 746

  • The property block_page_redirect of objects within the server_groups array has been removed.

AGDNS-1981 / Build 744

  • The objects within the server_groups array had a change in their block_page_redirect configuration, it now supports arrays of IP addresses in ipv4 and ipv6 fields.

  • Profile's file cache version was incremented. In case of BlockingModeCustomIP the profile.blocking_mode IPv4/IPv6 fields are now arrays of IP addresses.

AGDNS-2012 / Build 732

  • The querylog now has a new field, "rn", which is a 16-bit unsigned random number. Field "u", the unique request ID, is deprecated and may be removed in the future.

AGDNS-1879 / Build 729

  • Profile's file cache version was incremented. The new field authentication has been added to profile's device object.

AGDNS-1934 / Build 728

  • The object filters has new properties: index_refresh_timeout, and rule_list_refresh_timeout. So replace this:

    filters:
        #

    with this:

    filters:
        #
        index_refresh_timeout: 1m
        rule_list_refresh_timeout: 1m
  • The objects safe_browsing and adult_blocking have a new property: refresh_timeout. So replace this:

    safe_browsing:
        #
    #
    adult_blocking:
        #

    with this:

    safe_browsing:
        #
        refresh_timeout: 1m
    #
    adult_blocking:
        #
        refresh_timeout: 1m

AGDNS-1954 / Build 726

  • The object web has a new optional property, general_blocking. Its format is the same as in adult_blocking and safe_browsing.

AGDNS-1954 / Build 719

  • The objects within the server_groups array have a new property block_page_redirect:

    block_page_redirect:
        enabled: true
        ipv4:
          - address: '127.0.0.1'
          - address: '127.0.0.2'
        ipv6:
          - address: '::1'
          - address: '::2'
        apply:
            client:
              - address: '192.168.0.0/16'
              - address: '1.2.3.4'
        skip:
            client:
              - address: '1.2.0.0/16'
            question:
              - domain: 'do-not-show-block.site.example'
        probability: 0.01

    [!NOTE] For ipv4 and ipv6 only one address is currently supported.

    For server groups that do not require a block-page redirect, set:

    block_page_redirect:
        enabled: false

AGDNS-1888 / Build 717

  • The new environment variable PROFILES_ENABLED has been added. With 0 value it disables user profiles and devices recognition, and billing. Its default value is 1. Adjust the value, if necessary.

AGDNS-1761 / Build 702

  • The property upstream has been modified. Its property timeout has been replaced with the new property servers.timeout for each server in the servers list. Concomitantly the fallback.timeout has been replaced with fallback.servers.timeout for each fallback server. The fallback.servers now supports not only the addresses of the servers, but URLs in the [scheme://]ip:port format like it's done with the main servers. So replace this:

    upstream:
        #
        servers:
          - 'tcp://1.1.1.1:53'
          - '127.0.0.1:5358'
        timeout: 2s
        fallback:
            servers:
              - 8.8.4.4:53
            timeout: 1s

    with this:

    upstream:
        #
        servers:
          - address: 'tcp://1.1.1.1:53'
            timeout: 2s
          - address: '127.0.0.1:5358'
            timeout: 2s
        fallback:
            servers:
              - address: '8.8.4.4:53'
                timeout: 1s

    Adjust the value and add new ones, if necessary.

AGDNS-698 / Build 701

  • The object dns has new properties: read_timeout, tcp_idle_timeout, and write_timeout. So replace this:

    dns:
        max_udp_response_size: 1024B

    with this:

    dns:
        read_timeout: 2s
        tcp_idle_timeout: 30s
        write_timeout: 2s
        handle_timeout: 1s
        max_udp_response_size: 1024B

    The values in the example are previous defaults.

AGDNS-1751 / Build 691

  • The property upstream.server has been removed. Its former content is moved to the newly added property servers, which now extended to contain a list of URLs of main upstream servers. So replace this:

    upstream:
        #
        server: `8.8.8.8:53`

    with this:

    upstream:
        #
        servers:
          - `8.8.8.8:53`

    Adjust the value and add new ones, if necessary.

AGDNS-1759 / Build 684

  • The object backend has a new property, full_refresh_retry_interval. So replace this:

    backend:
        #
        full_refresh_interval: 24h

    with this:

    backend:
        #
        full_refresh_interval: 24h
        full_refresh_retry_interval: 1h

    Adjust the value, if necessary.

AGDNS-1744 / Build 681

  • Metric forward_request_total has a new label network. This label describes the network type (tcp or udp), over which an upstream has finished processing request.

AGDNS-1738 / Build 678

  • Object dns has a new property, describing maximum size of DNS response over UDP protocol.

    dns:
        max_udp_response_size: 1024B
        handle_timeout: 1s

AGDNS-1735 / Build 677

  • The property upstream.fallback has been changed. Its former content is moved to the newly added property servers. The new property timeout, which describes query timeout to fallback servers, was added. So replace this:

    upstream:
        fallback:
        - 1.1.1.1:53
        - 8.8.8.8:53

    with this:

    upstream:
        fallback:
            servers:
            - 1.1.1.1:53
            - 8.8.8.8:53
            timeout: 1s

    Adjust the new values, if necessary. Note that the query timeout to fallback servers was previously defined with upstream.timeout property, which now describes the query timeout to the primary servers only.

AGDNS-1178 / Build 676

  • The new object dns has been added:

    dns:
        handle_timeout: 1s

AGDNS-1620 / Build 673

  • Object ratelimit has two new properties: quic and tcp. They configure QUIC and TCP connection limits. Example configuration:

    ratelimit:
        #
        quic:
            enabled: true
            max_streams_per_peer: 100
        tcp:
            enabled: true
            max_pipeline_count: 100

AGDNS-1684 / Build 661

  • Profile's file cache version was incremented. The new field access has been added.

AGDNS-1664 / Build 636

  • The environment variables BILLSTAT_URL and PROFILES_URL no longer support HTTP(s) endpoints. Use GRPC(S) instead.

AGDNS-1667 / Build 633

  • ratelimit configuration properties back_off_count, back_off_duration and back_off_period have been renamed to backoff_count, backoff_duration and backoff_period. So replace this:

    ratelimit:
        back_off_period: 10m
        back_off_count: 1000
        back_off_duration: 30m

    with this:

    ratelimit:
        backoff_period: 10m
        backoff_count: 1000
        backoff_duration: 30m

AGDNS-1607 / Build 617

  • New configuration access has been added, it has an a list of AdBlock rules to block requests, and a lists of client subnets to block access from. Example configuration:

    access:
        blocked_question_domains:
          - 'test.org'
          - '||example.org^$dnstype=AAAA'
        blocked_client_subnets:
          - '1.1.1.1'
          - '2.2.2.0/8'

AGDNS-1619 / Build 611

  • Added a new metric bill_stat_upload_duration that counts the duration of billing statistics upload.

  • The environment variable BILLSTAT_URL, which describes the endpoint for backend billing statistics uploader API, now supports GRPC endpoints.

AGDNS-1600 / Build 582

  • The environment variable PROFILES_CACHE_PATH no longer supports JSON files. Use protobuf with .pb extension instead. The default value has been changed to ./profilecache.pb.

AGDNS-1539 / Build 581

  • The environment variable PROFILES_URL, which describes the endpoint for profiles sync API, now supports GRPC endpoints.

AGDNS-1579 / Build 580

  • The optional property bind_interfaces of server_groups.*.servers objects has been changed, property subnet is now an array and has been renamed to subnets. So replace this:

    bind_interfaces:
      - id: 'dns'
        subnet: '10.0.0.1/32'
      - id: 'dns'
        subnet: '10.0.0.2/32'
      - id: 'dns'
        subnet: '10.0.0.3/32'
      - id: 'dns_secondary'
        subnet: '10.0.0.1/32'

    with this:

    bind_interfaces:
      - id: 'dns'
        subnets:
          - '10.0.0.1/32'
          - '10.0.0.2/32'
          - '10.0.0.3/32'
      - id: 'dns_secondary'
        subnets:
          - '10.0.0.1/32'

AGDNS-1537 / Build 566

  • The configuration property filtering_groups.safe_browsing has been changed, new properties have been added: block_dangerous_domains and block_newly_registered_domains.

AGDNS-1580 / Build 562

  • The environment variable DNSDB_PATH has been removed.

  • New configuration dnsdb has been added, it has an enabled/disabled flag and the property max_size which describes the maximum amount of records in the in-memory buffer. Example configuration:

    dnsdb:
        enabled: true
        max_size: 500000

AGDNS-1537 / Build 559

  • Configuration properties safe_browsing.url and adult_blocking.url are now removed. Use newly added environment variables ADULT_BLOCKING_URL and SAFE_BROWSING_URL.

  • New environment variable NEW_REG_DOMAINS_URL has been added, this is the link to the source list of the newly registered domains.

AGDNS-1567 / Build 557

  • The environment variable BACKEND_ENDPOINT was replaced with three environment variables:

    • LINKED_IP_TARGET_URL: the target URL to which linked IP API requests are proxied.
    • PROFILES_URL: the endpoint for profiles sync API.
    • BILLSTAT_URL: the endpoint for backend billing statistics uploader.

AGDNS-1561 / Build 554

  • The filters object has a new property, max_size, which describes the maximum size of the downloadable content for a rule-list in a human-readable format. Example configuration:

    filters:
        #
        max_size: 256MB

AGDNS-1561 / Build 550

  • Properties so_sndbuf and so_rcvbuf of object network have been changed. Now they are in a human-readable format. Example configuration:

    network:
        so_sndbuf: 2MB
        so_rcvbuf: 0
  • The object filters has been changed. Two properties, rule_list_cache_size and use_rule_list_cache have been extracted to the new object rule_list_cache and renamed to size and enabled. So replace this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        safe_search_cache_size: 1024
        rule_list_cache_size: 10000
        refresh_interval: 1h
        refresh_timeout: 5m
        use_rule_list_cache: true

    with this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        safe_search_cache_size: 1024
        refresh_interval: 1h
        refresh_timeout: 5m
        rule_list_cache:
            enabled: true
            size: 10000

    Adjust the values, if necessary.

AGDNS-1566 / Build 549

  • There is now a new env variable RESEARCH_LOGS that controls whether logging of additional info for research purposes is enabled. These log records can be filtered out by research: prefix. The default value is 0, i.e. additional logging is disabled. The first thing that is logged in this version is domains which responses have ECH config. The log will only be recorded when both RESEARCH_LOGS and RESEARCH_METRICS are set to 1.

  • Added a new research metric dns_research_response_ech that counts the number of responses with a ECH configuration.

AGDNS-1556 / Build 547

  • The object cache has a new property ttl_override. It describes the TTL override settings, such as the minimum TTL for cache items and the enabled switch. It overwrites the TTL from DNS response in case it's less than this minimum value. So replace this:

    cache:
        type: "simple"
        size: 10000
        ecs_size: 10000

    with this:

    cache:
        type: "simple"
        size: 10000
        ecs_size: 10000
        ttl_override:
            enabled: true
            # The minimum duration of TTL for a cache item.
            min: 60s

    Adjust the values, if necessary.

AGDNS-1498 / Build 527

  • Object ratelimit has a new property, connection_limit, which allows setting stream-connection limits. Example configuration:

    ratelimit:
        #
        connection_limit:
            enabled: true
            stop: 1000
            resume: 800

AGDNS-1383 / Build 525

  • The environment variable PROFILES_CACHE_PATH is now sensitive to the file extension. Use .json for the previous behavior of encoding the cache into a JSON file or .pb for encoding it into protobuf. Other extensions are invalid.

AGDNS-1381 / Build 518

  • The new object network has been added:

    network:
        so_sndbuf: 0
        so_rcvbuf: 0

AGDNS-1383 / Build 515

  • The environment variable PROFILES_CACHE_PATH now has a new special value, none, which disables profile caching entirely. The default value of ./profilecache.json has not been changed.

AGDNS-1479 / Build 513

  • The profile-cache version has been changed to 6. Versions of the profile cache from 3 to 5 are invalid and should not be reused.

AGDNS-1473 / Build 506

  • The profile-cache version has been changed to 5.

AGDNS-1247 / Build 484

  • The new object interface_listeners has been added:

    interface_listeners:
        channel_buffer_size: 1000
        list:
            eth0_plain_dns:
                interface: 'eth0'
                port': 53
            eth0_plain_dns_secondary:
                interface: 'eth0'
                port': 5353
  • The objects within the server_groups.*.servers array have a new optional property, bind_interfaces:

    server_groups:
    -
        #
        servers:
          - name: 'default_dns'
            #
            bind_interfaces:
              - id: 'eth0_plain_dns'
                subnet: '127.0.0.0/8'
              - id: 'eth0_plain_dns_secondary'
                subnet: '127.0.0.0/8'

    It is mutually exclusive with the current bind_addresses field.

AGDNS-1406 / Build 480

  • The default behavior of the environment variable DNSDB_PATH has been changed. Previously, if the variable was unset then the default value, ./dnsdb.bolt, was used, but if it was an empty string, DNSDB was disabled. Now both unset and empty value disable DNSDB, which is consistent with the documentation.

    This means that DNSDB is disabled by default.

  • The default configuration file path has been changed from ./config.yml to ./config.yaml for consistency with other services.

AGDNS-916 / Build 456

  • ratelimit now defines rate of requests per second for IPv4 and IPv6 addresses separately. So replace this:

    ratelimit:
        rps: 30
        ipv4_subnet_key_len: 24
        ipv6_subnet_key_len: 48

    with this:

    ratelimit:
        ipv4:
            rps: 30
            subnet_key_len: 24
        ipv6:
            rps: 300
            subnet_key_len: 48

AGDNS-907 / Build 449

  • The objects within the filtering_groups have a new property, block_firefox_canary. So replace this:

    filtering_groups:
    -
        id: default
        #

    with this:

    filtering_groups:
    -
        id: default
        #
        block_firefox_canary: true

    The recommended default value is true.

AGDNS-1308 / Build 447

  • There is now a new env variable RESEARCH_METRICS that controls whether collecting research metrics is enabled or not. Also, the first research metric is added: dns_research_blocked_per_country_total, it counts the number of blocked requests per country. Its default value is 0, i.e. research metrics collection is disabled by default.

AGDNS-1051 / Build 443

  • There are two changes in the keys of the static_content map. Firstly, properties allow_origin and content_type are removed. Secondly, a new property, called headers, is added. So replace this:

    static_content:
        '/favicon.ico':
            #
            allow_origin: '*'
            content_type: 'image/x-icon'

    with this:

    static_content:
        '/favicon.ico':
            #
            headers:
                'Access-Control-Allow-Origin':
                  - '*'
                'Content-Type':
                  - 'image/x-icon'

    Adjust or add the values, if necessary.

AGDNS-1278 / Build 423

  • The object filters has two new properties, rule_list_cache_size and use_rule_list_cache. So replace this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        safe_search_cache_size: 1024
        refresh_interval: 1h
        refresh_timeout: 5m

    with this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        safe_search_cache_size: 1024
        rule_list_cache_size: 10000
        refresh_interval: 1h
        refresh_timeout: 5m
        use_rule_list_cache: true

    Adjust the values, if necessary.

AGDNS-1278 / Build 422

  • The object filters has a new property, safe_search_cache_size. So replace this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        refresh_interval: 1h
        refresh_timeout: 5m

    with this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        safe_search_cache_size: 1024
        refresh_interval: 1h
        refresh_timeout: 5m

    Adjust the values, if necessary.

AGDNS-1174 / Build 397

  • DNS Server Check now responds with NODATA message to all non-A neither non-AAAA requests.

AGDNS-911 / Build 375

  • Added support for running a DoH3 server. No configuration changes are required to run it. If there was a DoH server configured, it will start listening for HTTP/3 connections on the same port where it listens for HTTP/2. Make sure that udp/443 is allowed in the iptables configuration on the server.

AGDNS-842 / Build 372

  • The new environment variable PROFILES_CACHE_PATH has been added. Its default value is ./profilecache.json. Adjust the value, if necessary.

AGDNS-891 / Build 371

  • The property server of upstream object has been changed. Now it is a URL optionally starting with tcp:// or udp://, and then an address in ip:port format.

    upstream:
       server: 'tcp://8.8.8.8:53'

    Adjust the value, if necessary.

AGDNS-1032 / Build 363

  • The new optional field static_content.*.allow_origin has been added:

    static_content:
        '/favicon.ico':
            allow_origin: '*'

AGDNS-898 / Build 359

  • The new optional object additional_metrics_info has been added:

    additional_metrics_info:
        test_key: 'test_value'

AGDNS-986 / Build 346

  • The new object upstream.healthcheck now contains all healthcheck-related fields, including the new field domain_template. Property upstream.healthcheck_backoff_time has been moved to upstream.healthcheck.backoff_duration. So replace this:

    upstream:
        server: 127.0.0.1:53
        timeout: 2s
        healthcheck_enabled: true
        healthcheck_interval: 2s
        healthcheck_timeout: 1s
        healthcheck_backoff_time: 30s
        fallback:
          - 1.1.1.1:53
          - 8.8.8.8:53

    with this:

    upstream:
        server: 127.0.0.1:53
        timeout: 2s
        fallback:
          - 1.1.1.1:53
          - 8.8.8.8:53
        healthcheck:
            enabled: true
            interval: 2s
            timeout: 1s
            backoff_duration: 30s
            domain_template: '${RANDOM}.neverssl.com'

    Adjust the new value, if necessary.

AGDNS-960 / Build 342

  • The property domain of check object has been changed to domains. So replace this:

    check:
       domain: "example.com"

    with this:

    check:
       domains:
       - 'example.com'
       - 'example.org'

    Adjust the news values, if necessary.

AGDNS-838 / Build 338

  • The object upstream has new properties, healthcheck_enabled, healthcheck_interval, healthcheck_timeout, and healthcheck_backoff_time. So replace this:

    upstream:
        server: 127.0.0.9:53
        timeout: 2s
        fallback:
        - 1.1.1.1:53
        - 8.8.8.8:53

    with this:

    upstream:
        server: 127.0.0.9:53
        timeout: 2s
        healthcheck_enabled: true
        healthcheck_interval: 2s
        healthcheck_timeout: 1s
        healthcheck_backoff_time: 30s
        fallback:
        - 1.1.1.1:53
        - 8.8.8.8:53

    Adjust the new values, if necessary.

Build 336

  • The environment variable SSLKEYLOGFILE has been renamed to SSL_KEY_LOG_FILE.

AGDNS-915 / Build 334

  • The properties subnet_key_ip_4_mask_len and subnet_key_ip_6_mask_len of object ratelimit have been renamed to ipv4_subnet_key_len and ipv6_subnet_key_len correspondingly. So replace this:

    ratelimit:
        #
        subnet_key_ip_4_mask_len: 24
        subnet_key_ip_6_mask_len: 48

    with this:

    ratelimit:
        #
        ipv4_subnet_key_len: 24
        ipv6_subnet_key_len: 48

AGDNS-915 / Build 333

  • The ratelimit object has two new properties, subnet_key_ip_4_mask_len and subnet_key_ip_6_mask_len. So replace this:

    ratelimit:
        #

    with this:

    ratelimit:
        #
        subnet_key_ip_4_mask_len: 24
        subnet_key_ip_6_mask_len: 48

AGDNS-897 / Build 329

  • The objects within the filtering_groups have a new property, block_private_relay.

    filtering_groups:
    -
        id: default
        #

    with this:

    filtering_groups:
    -
        id: default
        #
        block_private_relay: false

    The recommended default value is false.

AGDNS-624 / Build 320

  • The objects within server_groups array had a change in their DDR configuration. There was an opinion that the previous configuration was too limiting and that denormalized configuration is more self-describing. So replace this:

    server_groups:
    -
        #
        ddr_names:
        - 'dns.example.com'
        #

    with this:

    server_groups:
    -
        #
        ddr:
            enabled: true
            device_records:
                '*.d.dns.example.com':
                    doh_path: '/dns-query{?dns}'
                    https_port: 443
                    quic_port: 853
                    tls_port: 853
                    ipv4_hints:
                    - 127.0.0.1
                    ipv6_hints:
                    - '::1'
            public_records:
                'dns.example.com':
                    doh_path: '/dns-query{?dns}'
                    https_port: 443
                    quic_port: 853
                    tls_port: 853
                    ipv4_hints:
                    - 127.0.0.1
                    ipv6_hints:
                    - '::1'
        #

    Adjust the values, if necessary. Make sure to synchronize and keep in sync the addresses and ports with the values of the server groups' servers.

AGDNS-624 / Build 317

  • The objects within server_groups array have a new property ddr_names:

    server_groups:
    -
        #
        ddr_names:
        - 'dns.example.com'
        #

    It is empty by default. These values will be used for constructing a response for Discovery of Designated Resolvers. Empty value leads to a NODATA response. Adjust the new value, if necessary.

AGDNS-624 / Build 314

  • The property tls of objects within the server_groups.*.servers.* array has been moved to the server_group object becoming common for the whole group. Any group having at least a single server of DoH/DoT/DoQ protocols will require the tls property specified. Any group having no encrypted resolvers will require the tls property absence. So replace this:

    server_groups:
    -
        #
        servers:
        -
            name: default_dot
            protocol: tls
            tls:
                #
            #

    with this:

    server_groups:
    -
        tls:
            #
        #
        servers:
        -
            name: default_dot
            protocol: tls
            #

    Adjust the new value, if necessary.

AGDNS-829 / Build 308

  • The object upstream has a new property, timeout. So replace this:

    upstream:
        server: 127.0.0.9:53
        fallback:
        - 1.1.1.1:53
        - 8.8.8.8:53

    with this:

    upstream:
        server: 127.0.0.9:53
        timeout: 2s
        fallback:
        - 1.1.1.1:53
        - 8.8.8.8:53

    Adjust the new value, if necessary.

AGDNS-286 / Build 307

  • The new object connectivity_check has been added:

    connectivity_check:
        probe_ipv4: '8.8.8.8:53'
        probe_ipv6: '[2001:4860:4860::8888]:53'

AGDNS-745 / Build 298

  • The object filters has a new property, refresh_timeout. So replace this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        refresh_interval: 1h

    with this:

    filters:
        response_ttl: 5m
        custom_filter_cache_size: 1024
        refresh_interval: 1h
        refresh_timeout: 5m

    Adjust the values, if necessary.

AGDNS-608 / Build 273

  • The object cache has two new properties, type and ecs_size. So replace this:

    cache:
        size: 10000

    with this:

    cache:
        type: "simple"
        size: 10000
        ecs_size: 10000

    Adjust the values, if necessary.

AGDNS-327 / Build 259

  • Prometheus metric dns_tls_handshake_total has been updated with server_name label. This label represents "Server Name Indication" identifiers, grouped by endpoint identifier and known server names. All unknown server names are grouped in other label:

    # TYPE dns_tls_handshake_total counter
    dns_tls_handshake_total{cipher_suite="TLS_AES_128_GCM_SHA256",did_resume="0",negotiated_proto="",proto="tls",server_name="default_dot: other",tls_version="tls1.3"} 4
    

AGDNS-607 / Build 258

  • The special "disallow-all" response is served on /robots.txt requests to web module.

AGDNS-506 / Build 242

  • The property cache_size of object geoip has been renamed to ip_cache_size. Also, a new property named host_cache_size has been added. So replace this:

    geoip:
        cache_size: 100000
        refresh_interval: 1h

    with this:

    geoip:
        host_cache_size: 100000
        ip_cache_size: 100000
        refresh_interval: 1h

    Adjust the new value, if necessary.

AGDNS-505 / Build 238

  • The object backend has a new property, bill_stat_interval. So replace this:

    backend:
        timeout: 10s
        refresh_interval: 15s
        full_refresh_interval: 24h

    with this:

    backend:
        timeout: 10s
        refresh_interval: 15s
        full_refresh_interval: 24h
        bill_stat_interval: 15s

    Adjust the value, if necessary.

AGDNS-187 / Build 228

  • The new required environment variables GENERAL_SAFE_SEARCH_URL and YOUTUBE_SAFE_SEARCH_URL has been added. Those are expected to lead to plain text filters, for example:

    GENERAL_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/engines_safe_search.txt'
    YOUTUBE_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/youtube_safe_search.txt'

AGDNS-344 / Build 226

  • The environment variables CONSUL_DNSCHECK_KV_URL and CONSUL_DNSCHECK_SESSION_URL are now unset by default. Which means that by default HTTP key-value database isn't used.

AGDNS-431 / Build 211

  • The object web has a new optional property, linked_ip:

    web:
        linked_ip:
            bind:
            -
                address: 127.0.0.1:80
            -
                address: 127.0.0.1:443
                certificates:
                -
                    certificate: ./test/cert.crt
                    key: ./test/cert.key

AGDNS-425 / Build 209

  • The objects within the server_groups.*.servers array have a new optional property, linked_ip_enabled. It is false by default. Set to true to enable linked IP address detection on that server:

    server_groups:
    -
        #
        servers:
        -
            name: default_dns
            protocol: dns
            linked_ip_enabled: true
            #

AGDNS-405 / Build 195

  • Used our fork of miekg/dns library to fix the EDNS0 TCP keep-alive issue.

AGDNS-341 / Build 183

  • Removed the static DNS check /info.txt. Now that web module is available, it is no more needed since it can be configured via the web module.

AGDNS-341 / Build 179

  • The object doh has been removed.

  • The new optional object web has been added:

    web:
        safe_browsing:
            bind:
            -
                address: 127.0.0.1:80
            -
                address: 127.0.0.1:443
                certificates:
                -
                    certificate: ./test/cert.crt
                    key: ./test/cert.key
            block_page: /path/to/block_page.html
        adult_blocking:
            bind:
            -
                address: 127.0.0.1:80
            -
                address: 127.0.0.1:443
                certificates:
                -
                    certificate: ./test/cert.crt
                    key: ./test/cert.key
            block_page: /path/to/block_page.html
        non_doh_bind:
        -
            address: 127.0.0.1:80
        -
            address: 127.0.0.1:443
            certificates:
            -
                certificate: ./test/cert.crt
                key: ./test/cert.key
        static_content:
            '/favicon.ico':
                content_type: image/x-icon
                content: base64content
        root_redirect_url: "https://adguard-dns.com"
        error_404: /path/to/error_404.html
        error_500: /path/to/error_500.html
        timeout: 1m

AGDNS-367 / Build 164

  • The object geoip has a new property, cache_size.

AGDNS-310 / Build 153

  • The environment variable LOG_OUTPUT has been removed. Logs are now always written to stdout.

AGDNS-339 / Build 136

  • The environment variable DNSDB_PATH is now unset by default. Which means that by default DNSDB is disabled.

AGDNS-350 / Build 135

  • The new optional environment variable SSLKEYLOGFILE has been added.

AGDNS-345 / Build 133

  • The object check has a new property, node_location.

AGDNS-322 / Build 116

  • The property device_id_wildcard_domains in the objects within the server_groups.*.servers array has been renamed to the shorter device_id_wildcards.

  • The DNS names from certificates are not used to detect device IDs and perform additional validations anymore.

AGDNS-305 / Build 114

  • The new required environment variable BLOCKED_SERVICE_INDEX_URL has been added. It has no default value, so it's necessary to set it.

AGDNS-319 / Build 113

  • The objects within the server_groups.*.servers array have a new property, tls.device_id_wildcard_domains. It is an array of domain name wildcards used to detect device IDs. If necessary, add them:

    server_groups:
    -
        #
        servers:
        -
            name: default_dot
            #
            tls:
                #
                device_id_wildcard_domains:
                - *.dns.adguard.com

AGDNS-292 / Build 111

  • The environment variable CONSUL_URL has been renamed to CONSUL_ALLOWLIST_URL.

  • The new required environment variables CONSUL_DNSCHECK_KV_URL and CONSUL_DNSCHECK_SESSION_URL are added. They have no default value, so it's necessary to set them.

  • The object check has a new property, ttl. Set it to a human-readable duration, for example 1m.

AGDNS-296 / Build 110

  • The property parental.safe_search of objects within the filtering_groups array is renamed to parental.general_safe_search to synchronize it with the backend.

Build 109

  • The object log has been removed. Its properties have been moved to the environment.

  • The new environment variable LOG_OUTPUT has been added. It is the path to the plain text log file. If stdout, writes to standard output. If stderr, writes to standard error.

    The default value is stdout, adjust the value, if necessary.

  • The new environment variable LOG_TIMESTAMP has been added. When it is set to 1, timestamps are shown in the plain text logs. When set to 0, they are not shown.

    The default value is 1, adjust the value, if necessary.

  • The environment variable VERBOSE doesn't support a set but empty value. Unset the value or replace it with a 0.

AGDNS-295 / Build 105

  • Another change in the objects within the filtering_groups. Before:

    filtering_groups:
    -
        id: default
        filters:
        - adguard_dns_filter
        parental: true
        block_adult: true
        safe_browsing: true
        safe_search: true
        youtube_safe_search: true

    After:

    filtering_groups:
    -
        id: default
        parental:
            enabled: true
            block_adult: true
            safe_search: true
            youtube_safe_search: true
        rule_lists:
            enabled: true
            ids:
            - adguard_dns_filter
        safe_browsing:
            enabled: true

AGDNS-290 / Build 97

  • The object check has a new property, node_name.

AGDNS-287 / Build 96

  • The objects within the server_groups.*.servers array have a new optional property in their dnscrypt objects, inline. Also, the property config is renamed to config_path. So replace this:

    server_groups:
    -
        name: adguard_dns_default
        filtering_group: default
        servers:
        -
            name: default_dnscrypt
            #
            dnscrypt:
                config: './test/dnscrypt.yml'
        #

    with this:

    server_groups:
    -
        name: adguard_dns_default
        filtering_group: default
        servers:
        -
            name: default_dnscrypt
            #
            dnscrypt:
                inline:
                    provider_name: 2.dnscrypt-cert.example.org
                    public_key: F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0
                    private_key: 5752095FFA56D963569951AFE70FE1690F378D13D8AD6F8054DFAA100907F8B6F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0
                    resolver_secret: 9E46E79FEB3AB3D45F4EB3EA957DEAF5D9639A0179F1850AFABA7E58F87C74C4
                    resolver_public: 9327C5E64783E19C339BD6B680A56DB85521CC6E4E0CA5DF5274E2D3CE026C6B
                    es_version: 1
                    certificate_ttl: 8760h
        #

    or this:

    server_groups:
    -
        name: adguard_dns_default
        filtering_group: default
        servers:
        -
            name: default_dnscrypt
            #
            dnscrypt:
                config_path: './test/dnscrypt.yml'
        #

    Adjust the values, if necessary.

AGDNS-290 / Build 95

  • The property server_name of object check is removed.

AGDNS-272 / Build 94

  • The new optional object doh has been added, which supplements the DNS-over-HTTP server configuration. Example:

    doh:
        root_redirect_url: "https://adguard-dns.com/"

AGDNS-140 / Build 90

  • The objects within the server_groups.*.servers array have a new property, tls.session_keys. So, if necessary, replace this:

    server_groups:
    -
        name: adguard_dns_default
        filtering_group: default
        servers:
        -
            name: default_dot
            #
            tls:
                certificates:
                -
                    certificate: ./test/cert.crt
                    key: ./test/cert.key
        #

    with this:

    server_groups:
    -
        name: adguard_dns_default
        filtering_group: default
        servers:
        -
            name: default_dot
            #
            tls:
                certificates:
                -
                    certificate: ./test/cert.crt
                    key: ./test/cert.key
                session_keys:
                - ./private/key_1
        #

AGDNS-233 / Build 88

  • The object backend has a new property, full_refresh_interval. So replace this:

    backend:
        timeout: 10s
        refresh_interval: 1m

    with this:

    backend:
        timeout: 10s
        refresh_interval: 1m
        full_refresh_interval: 24h

    Adjust the value, if necessary.

AGDNS-247 / Build 86

  • The new object check has been added, which configures the DNS checks mechanism. Example:

    check:
        domain: "dnscheck.adguard.com"
        ipv4:
        - 1.2.3.4
        - 5.6.7.8
        ipv6:
        - 1234::cdee
        - 1234::cdef
        server_name: "AdGuard DNS Default"

AGDNS-246 / Build 83

  • The new environment variable RULESTAT_URL has been added. Its default value is an empty string, which means that no statistics are gathered. Adjust the value, if necessary.

AGDNS-245 / Build 74

  • The new environment variable DNSDB_PATH has been added. Its default value is ./dnsdb.bolt. Adjust the value, if necessary.

AGDNS-139 / Build 73

  • The new required environment variable CONSUL_URL has been added. It has no default value, so it's necessary to set it.

  • The ratelimit configuration for a server has changed from this:

    ratelimit:
        refuseany: true
        response_size_limit: 1KB
        rate_limit_cache_ttl: 10m
        back_off_cache_ttl: 30m
        rps: 30
        backoff_limit: 1000

    to this:

    ratelimit:
        allowlist:
            list:
            - '127.0.0.1'
            - '127.0.0.1/24'
            refresh_interval: 30s
        back_off_count: 1000
        back_off_duration: 30m
        back_off_period: 10m
        refuseany: true
        response_size_estimate: 1KB
        rps: 30

    See README.md for documentation.

AGDNS-154 / Build 71

  • The property backend of the query_log object is removed.

AGDNS-230 / Build 67

  • The new required environment variable FILTER_INDEX_URL has been added. It has no default value, so it's necessary to set it.

  • The environment variable BACKEND_ENDPOINT is now required and has no default value.

  • Property lists of the filters object is removed.

  • A new property refresh_interval has been added to the filters object.

AGDNS-229 / Build 62

  • The new environment variable FILTER_CACHE_PATH has been added. Its default value is ./filters/. Adjust the value, if necessary.

  • The list property of safe_browsing and adult_blocking objects as well as the path property of the filters.lists objects are removed.

  • Property url of the filters.lists objects is now required.

AGDNS-188 / Build 61

  • The type of the cache.size property was changed from bytes to integer. So replace this:

    cache:
        size: 50KB

    with this:

    cache:
        size: 10000

    Set the new values accordingly.

AGDNS-149, AGDNS-150, AGDNS-189 / Build 52

  • The top-level object parental was renamed to adult_blocking.

  • The objects safe_browsing and adult_blocking have four new properties, cache_size, cache_ttl, refresh_interval, and url. So replace this:

    safe_browsing:
        block_host: standard-block.dns.adguard.com
        list: ./test/safe_browsing.txt
    
    adult_blocking:
        block_host: family-block.dns.adguard.com
        list: ./test/parental.txt

    with this:

    safe_browsing:
        url: https://static.example.com/safe_browsing.txt
        block_host: standard-block.dns.adguard.com
        cache_size: 1024
        cache_ttl: 1h
        list: ./test/safe_browsing.txt
        refresh_interval: 1h
    
    adult_blocking:
        url: https://static.example.com/adult_blocking.txt
        block_host: family-block.dns.adguard.com
        cache_size: 1024
        cache_ttl: 1h
        list: ./test/parental.txt
        refresh_interval: 1h

    Set the new values accordingly.

  • The objects within the filtering_groups array have a new property, block_adult. So replace this:

    filtering_groups:
    -
        id: default
        filters:
        - adguard_dns_filter
        parental: false
        safe_browsing: true
        safe_search: false
        youtube_safe_search: false
    #

    with this:

    filtering_groups:
    -
        id: default
        filters:
        - adguard_dns_filter
        parental: false
        block_adult: false
        safe_browsing: true
        safe_search: false
        youtube_safe_search: false
    #

    Set the new value accordingly.

  • The objects within the filters.lists array have a new property, refresh_interval. The property is only required when the property url is also set. So replace this:

    filters:
        #
        lists:
        -
            id: adguard_dns_filter
            url: 'https://example.com/adguard_dns_filter.txt'
            path: ./test/filters/adguard_dns_filter.txt
        -
            id: peter_lowe_list
            path: ./test/filters/peter_lowe_list.txt

    with this:

    filters:
        #
        lists:
        -
            id: adguard_dns_filter
            url: 'https://example.com/adguard_dns_filter.txt'
            path: ./test/filters/adguard_dns_filter.txt
            refresh_interval: 1h
        -
            id: peter_lowe_list
            path: ./test/filters/peter_lowe_list.txt

    Set the new value accordingly.

Build 45

  • The property youtube_restricted was renamed to youtube_safe_search. So replace this:

    filtering_groups:
    -
        id: default
        #
        youtube_restricted: false
    -
        id: strict
        #
        youtube_restricted: true

    with this:

    filtering_groups:
    -
        id: default
        #
        youtube_safe_search: false
    -
        id: strict
        #
        youtube_safe_search: true

AGDNS-152 / Build 43

  • The blocked response TTL parameter has been moved and renamed. From this:

    dns:
        blocked_response_ttl: 10s

    to this:

    filters:
        response_ttl: 10s

    The dns object has been completely removed.

AGDNS-177 / Build 40

  • The TLS configuration for a server has changed from this:

    tls:
        certificates:
        -
            certificate: /test/cert.crt
            key: /test/cert.key
        domains:
        - dns.adguard.com

    to this:

    tls:
        certificates:
        -
            certificate: /test/cert.crt
            key: /test/cert.key

    The domains to be used in device ID detection are now expected to be contained in the certificate's DNS Names section of SAN.

AGDNS-167 / Build 39

  • The filtering configuration has changed from this:

    filters:
    -
        id: adguard_dns_filter
        path: ./tmp.dir/filter.txt

    to this:

    filters:
        custom_filter_cache_size: 1024
        lists:
        -
            id: adguard_dns_filter
            path: ./tmp.dir/filter.txt