All notable environment, configuration file, and other changes to this project will be documented in this file.
The format is not based on Keep a Changelog, since the project doesn't currently adhere to Semantic Versioning.
-
Profile's file cache version was incremented. The file cache structure has been optimized, so messages like the following are to be expected:
profiledb: warning: error loading fs cache err="decoding protobuf: proto: cannot parse invalid wire-format data"
-
Profile's file cache version was incremented. The new field
BlockChromePrefetch
has been added to profile's object. -
The objects within the
filtering_groups
have a new property,block_chrome_prefetch
. So replace this:filtering_groups: - id: default # … block_firefox_canary: true block_private_relay: true
with this:
filtering_groups: - id: default # … block_chrome_prefetch: true block_firefox_canary: true block_private_relay: true
-
The environment variable
DNSCHECK_CACHE_KV_SIZE
has been added. -
The property
kv.type
within thecheck
object now supports thecache
value.
-
Property
type
of theratelimit
object has been moved to the underlyingallowlist
object. So replace this:ratelimit: type: 'consul' # … allowlist: # …
with this:
ratelimit: # … allowlist: type: 'consul' # …
-
The object
filters
has new properties:ede_enabled
, andsde_enabled
. So replace this:filters: # …
with this:
filters: # … ede_enabled: true sde_enabled: true
-
The environment variables
BACKEND_RATELIMIT_URL
andBACKEND_RATELIMIT_API_KEY
have been added. -
Added the
type
property within theratelimit
object. So add it:ratelimit: type: 'consul' # …
-
The objects
ratelimit.ipv4
andratelimit.ipv6
have been modified. Itsrps
properties have been replaced with the new propertiescount
andinterval
. So replace this:ratelimit: # … ipv4: rps: 30 ipv6: rps: 300
with this:
ratelimit: # … ipv4: # … count: 300 interval: 10s ipv6: # … count: 3000 interval: 10s
Adjust the value and add new ones, if necessary.
-
The environment variables
DNSCHECK_REMOTEKV_URL
andDNSCHECK_REMOTEKV_API_KEY
have been added. -
The property
kv.type
within thecheck
object now supports thebackend
value.
- The environment variable
PROFILES_MAX_RESP_SIZE
has been added. It sets the maximum size of the response from the profiles endpoint of the backend API. The default value is8MB
.
-
The environment variables
REDIS_ADDR
,REDIS_KEY_PREFIX
,REDIS_MAX_ACTIVE
,REDIS_MAX_IDLE
,REDIS_IDLE_TIMEOUT
, andREDIS_PORT
have been added. -
The property
ttl
within thecheck
is replaced by the objectkv
containing the previousttl
and the new propertytype
. So replace this:check: # … ttl: 30s
with this:
check: kv: type: 'consul' ttl: 30s # …
- Profile's file cache version was incremented. The new field
RateLimit
has been added to profile's object.
- The environment variables
WEB_STATIC_DIR
andWEB_STATIC_DIR_ENABLED
have been added. IfWEB_STATIC_DIR_ENABLED
is set to1
,WEB_STATIC_DIR
must point to a directory, from which static files are served. Theweb.static_content
property in the configuration file is also ignored whenWEB_STATIC_DIR_ENABLED
is set to1
.
- The environment variables
BLOCKED_SERVICE_ENABLED
,GENERAL_SAFE_SEARCH_ENABLED
, andYOUTUBE_SAFE_SEARCH_ENABLED
have been added. If they are set to0
, their corresponding*_URL
environment variables can be empty.
- The environment variables
BILLSTAT_URL
andPROFILES_URL
no longer required if there are no server groups with profiles enabled.
- The environment variables
ADULT_BLOCKING_ENABLED
,NEW_REG_DOMAINS_ENABLED
, andSAFE_BROWSING_ENABLED
have been added. If they are set to0
, their corresponding*_URL
environment variables can be empty.
- The environment variable
METRICS_NAMESPACE
has been added.
-
The environment variable
PROFILES_ENABLED
has been removed. -
The objects within the
server_groups
array have a new propertyprofiles_enabled
. So replace this:server_groups: - name: 'default' # … - name: 'client' # …
with this:
server_groups: - name: 'default' # … profiles_enabled: false - name: 'client' # … profiles_enabled: true
-
The environment variable
FILTER_INDEX_URL
now acceptsfile://
URIs to use local files as filtering-rule list indexes. -
All other
*_URL
environment variables are now validated to be HTTP(s) or gRPC(S) more strictly.
- The environment variables
BILLSTAT_API_KEY
andPROFILES_API_KEY
have been added.
- The version of the profile cache file has been incremented.
- The environment variables
RESEARCH_LOGS
andRESEARCH_METRICS
have been removed.
- The property
block_page_redirect
of objects within theserver_groups
array has been removed.
-
The objects within the
server_groups
array had a change in theirblock_page_redirect
configuration, it now supports arrays of IP addresses inipv4
andipv6
fields. -
Profile's file cache version was incremented. In case of
BlockingModeCustomIP
theprofile.blocking_mode
IPv4/IPv6 fields are now arrays of IP addresses.
- The querylog now has a new field,
"rn"
, which is a 16-bit unsigned random number. Field"u"
, the unique request ID, is deprecated and may be removed in the future.
- Profile's file cache version was incremented. The new field
authentication
has been added to profile's device object.
-
The object
filters
has new properties:index_refresh_timeout
, andrule_list_refresh_timeout
. So replace this:filters: # …
with this:
filters: # … index_refresh_timeout: 1m rule_list_refresh_timeout: 1m
-
The objects
safe_browsing
andadult_blocking
have a new property:refresh_timeout
. So replace this:safe_browsing: # … # … adult_blocking: # …
with this:
safe_browsing: # … refresh_timeout: 1m # … adult_blocking: # … refresh_timeout: 1m
- The object
web
has a new optional property,general_blocking
. Its format is the same as inadult_blocking
andsafe_browsing
.
-
The objects within the
server_groups
array have a new propertyblock_page_redirect
:block_page_redirect: enabled: true ipv4: - address: '127.0.0.1' - address: '127.0.0.2' ipv6: - address: '::1' - address: '::2' apply: client: - address: '192.168.0.0/16' - address: '1.2.3.4' skip: client: - address: '1.2.0.0/16' question: - domain: 'do-not-show-block.site.example' probability: 0.01
[!NOTE] For
ipv4
andipv6
only one address is currently supported.For server groups that do not require a block-page redirect, set:
block_page_redirect: enabled: false
- The new environment variable
PROFILES_ENABLED
has been added. With0
value it disables user profiles and devices recognition, and billing. Its default value is1
. Adjust the value, if necessary.
-
The property
upstream
has been modified. Its propertytimeout
has been replaced with the new propertyservers.timeout
for each server in theservers
list. Concomitantly thefallback.timeout
has been replaced withfallback.servers.timeout
for each fallback server. Thefallback.servers
now supports not only the addresses of the servers, but URLs in the[scheme://]ip:port
format like it's done with the main servers. So replace this:upstream: # … servers: - 'tcp://1.1.1.1:53' - '127.0.0.1:5358' timeout: 2s fallback: servers: - 8.8.4.4:53 timeout: 1s
with this:
upstream: # … servers: - address: 'tcp://1.1.1.1:53' timeout: 2s - address: '127.0.0.1:5358' timeout: 2s fallback: servers: - address: '8.8.4.4:53' timeout: 1s
Adjust the value and add new ones, if necessary.
-
The object
dns
has new properties:read_timeout
,tcp_idle_timeout
, andwrite_timeout
. So replace this:dns: max_udp_response_size: 1024B
with this:
dns: read_timeout: 2s tcp_idle_timeout: 30s write_timeout: 2s handle_timeout: 1s max_udp_response_size: 1024B
The values in the example are previous defaults.
-
The property
upstream.server
has been removed. Its former content is moved to the newly added propertyservers
, which now extended to contain a list of URLs of main upstream servers. So replace this:upstream: # … server: `8.8.8.8:53`
with this:
upstream: # … servers: - `8.8.8.8:53`
Adjust the value and add new ones, if necessary.
-
The object
backend
has a new property,full_refresh_retry_interval
. So replace this:backend: # … full_refresh_interval: 24h
with this:
backend: # … full_refresh_interval: 24h full_refresh_retry_interval: 1h
Adjust the value, if necessary.
- Metric
forward_request_total
has a new labelnetwork
. This label describes the network type (tcp
orudp
), over which an upstream has finished processing request.
-
Object
dns
has a new property, describing maximum size of DNS response over UDP protocol.dns: max_udp_response_size: 1024B handle_timeout: 1s
-
The property
upstream.fallback
has been changed. Its former content is moved to the newly added propertyservers
. The new propertytimeout
, which describes query timeout to fallback servers, was added. So replace this:upstream: fallback: - 1.1.1.1:53 - 8.8.8.8:53
with this:
upstream: fallback: servers: - 1.1.1.1:53 - 8.8.8.8:53 timeout: 1s
Adjust the new values, if necessary. Note that the query timeout to fallback servers was previously defined with
upstream.timeout
property, which now describes the query timeout to the primary servers only.
-
The new object
dns
has been added:dns: handle_timeout: 1s
-
Object
ratelimit
has two new properties:quic
andtcp
. They configure QUIC and TCP connection limits. Example configuration:ratelimit: # … quic: enabled: true max_streams_per_peer: 100 tcp: enabled: true max_pipeline_count: 100
- Profile's file cache version was incremented. The new field
access
has been added.
- The environment variables
BILLSTAT_URL
andPROFILES_URL
no longer support HTTP(s) endpoints. Use GRPC(S) instead.
-
ratelimit
configuration propertiesback_off_count
,back_off_duration
andback_off_period
have been renamed tobackoff_count
,backoff_duration
andbackoff_period
. So replace this:ratelimit: back_off_period: 10m back_off_count: 1000 back_off_duration: 30m
with this:
ratelimit: backoff_period: 10m backoff_count: 1000 backoff_duration: 30m
-
New configuration
access
has been added, it has an a list of AdBlock rules to block requests, and a lists of client subnets to block access from. Example configuration:access: blocked_question_domains: - 'test.org' - '||example.org^$dnstype=AAAA' blocked_client_subnets: - '1.1.1.1' - '2.2.2.0/8'
-
Added a new metric
bill_stat_upload_duration
that counts the duration of billing statistics upload. -
The environment variable
BILLSTAT_URL
, which describes the endpoint for backend billing statistics uploader API, now supports GRPC endpoints.
- The environment variable
PROFILES_CACHE_PATH
no longer supports JSON files. Use protobuf with.pb
extension instead. The default value has been changed to./profilecache.pb
.
- The environment variable
PROFILES_URL
, which describes the endpoint for profiles sync API, now supports GRPC endpoints.
-
The optional property
bind_interfaces
ofserver_groups.*.servers
objects has been changed, propertysubnet
is now an array and has been renamed tosubnets
. So replace this:bind_interfaces: - id: 'dns' subnet: '10.0.0.1/32' - id: 'dns' subnet: '10.0.0.2/32' - id: 'dns' subnet: '10.0.0.3/32' - id: 'dns_secondary' subnet: '10.0.0.1/32'
with this:
bind_interfaces: - id: 'dns' subnets: - '10.0.0.1/32' - '10.0.0.2/32' - '10.0.0.3/32' - id: 'dns_secondary' subnets: - '10.0.0.1/32'
- The configuration property
filtering_groups.safe_browsing
has been changed, new properties have been added:block_dangerous_domains
andblock_newly_registered_domains
.
-
The environment variable
DNSDB_PATH
has been removed. -
New configuration
dnsdb
has been added, it has an enabled/disabled flag and the propertymax_size
which describes the maximum amount of records in the in-memory buffer. Example configuration:dnsdb: enabled: true max_size: 500000
-
Configuration properties
safe_browsing.url
andadult_blocking.url
are now removed. Use newly added environment variablesADULT_BLOCKING_URL
andSAFE_BROWSING_URL
. -
New environment variable
NEW_REG_DOMAINS_URL
has been added, this is the link to the source list of the newly registered domains.
-
The environment variable
BACKEND_ENDPOINT
was replaced with three environment variables:LINKED_IP_TARGET_URL
: the target URL to which linked IP API requests are proxied.PROFILES_URL
: the endpoint for profiles sync API.BILLSTAT_URL
: the endpoint for backend billing statistics uploader.
-
The
filters
object has a new property,max_size
, which describes the maximum size of the downloadable content for a rule-list in a human-readable format. Example configuration:filters: # … max_size: 256MB
-
Properties
so_sndbuf
andso_rcvbuf
of objectnetwork
have been changed. Now they are in a human-readable format. Example configuration:network: so_sndbuf: 2MB so_rcvbuf: 0
-
The object
filters
has been changed. Two properties,rule_list_cache_size
anduse_rule_list_cache
have been extracted to the new objectrule_list_cache
and renamed tosize
andenabled
. So replace this:filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 rule_list_cache_size: 10000 refresh_interval: 1h refresh_timeout: 5m use_rule_list_cache: true
with this:
filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m rule_list_cache: enabled: true size: 10000
Adjust the values, if necessary.
-
There is now a new env variable
RESEARCH_LOGS
that controls whether logging of additional info for research purposes is enabled. These log records can be filtered out byresearch:
prefix. The default value is0
, i.e. additional logging is disabled. The first thing that is logged in this version is domains which responses have ECH config. The log will only be recorded when bothRESEARCH_LOGS
andRESEARCH_METRICS
are set to1
. -
Added a new research metric
dns_research_response_ech
that counts the number of responses with a ECH configuration.
-
The object
cache
has a new propertyttl_override
. It describes the TTL override settings, such as the minimum TTL for cache items and theenabled
switch. It overwrites the TTL from DNS response in case it's less than this minimum value. So replace this:cache: type: "simple" size: 10000 ecs_size: 10000
with this:
cache: type: "simple" size: 10000 ecs_size: 10000 ttl_override: enabled: true # The minimum duration of TTL for a cache item. min: 60s
Adjust the values, if necessary.
-
Object
ratelimit
has a new property,connection_limit
, which allows setting stream-connection limits. Example configuration:ratelimit: # … connection_limit: enabled: true stop: 1000 resume: 800
- The environment variable
PROFILES_CACHE_PATH
is now sensitive to the file extension. Use.json
for the previous behavior of encoding the cache into a JSON file or.pb
for encoding it into protobuf. Other extensions are invalid.
-
The new object
network
has been added:network: so_sndbuf: 0 so_rcvbuf: 0
- The environment variable
PROFILES_CACHE_PATH
now has a new special value,none
, which disables profile caching entirely. The default value of./profilecache.json
has not been changed.
- The profile-cache version has been changed to
6
. Versions of the profile cache from3
to5
are invalid and should not be reused.
- The profile-cache version has been changed to
5
.
-
The new object
interface_listeners
has been added:interface_listeners: channel_buffer_size: 1000 list: eth0_plain_dns: interface: 'eth0' port': 53 eth0_plain_dns_secondary: interface: 'eth0' port': 5353
-
The objects within the
server_groups.*.servers
array have a new optional property,bind_interfaces
:server_groups: - # … servers: - name: 'default_dns' # … bind_interfaces: - id: 'eth0_plain_dns' subnet: '127.0.0.0/8' - id: 'eth0_plain_dns_secondary' subnet: '127.0.0.0/8'
It is mutually exclusive with the current
bind_addresses
field.
-
The default behavior of the environment variable
DNSDB_PATH
has been changed. Previously, if the variable was unset then the default value,./dnsdb.bolt
, was used, but if it was an empty string, DNSDB was disabled. Now both unset and empty value disable DNSDB, which is consistent with the documentation.This means that DNSDB is disabled by default.
-
The default configuration file path has been changed from
./config.yml
to./config.yaml
for consistency with other services.
-
ratelimit
now defines rate of requests per second for IPv4 and IPv6 addresses separately. So replace this:ratelimit: rps: 30 ipv4_subnet_key_len: 24 ipv6_subnet_key_len: 48
with this:
ratelimit: ipv4: rps: 30 subnet_key_len: 24 ipv6: rps: 300 subnet_key_len: 48
-
The objects within the
filtering_groups
have a new property,block_firefox_canary
. So replace this:filtering_groups: - id: default # …
with this:
filtering_groups: - id: default # … block_firefox_canary: true
The recommended default value is
true
.
- There is now a new env variable
RESEARCH_METRICS
that controls whether collecting research metrics is enabled or not. Also, the first research metric is added:dns_research_blocked_per_country_total
, it counts the number of blocked requests per country. Its default value is0
, i.e. research metrics collection is disabled by default.
-
There are two changes in the keys of the
static_content
map. Firstly, propertiesallow_origin
andcontent_type
are removed. Secondly, a new property, calledheaders
, is added. So replace this:static_content: '/favicon.ico': # … allow_origin: '*' content_type: 'image/x-icon'
with this:
static_content: '/favicon.ico': # … headers: 'Access-Control-Allow-Origin': - '*' 'Content-Type': - 'image/x-icon'
Adjust or add the values, if necessary.
-
The object
filters
has two new properties,rule_list_cache_size
anduse_rule_list_cache
. So replace this:filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m
with this:
filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 rule_list_cache_size: 10000 refresh_interval: 1h refresh_timeout: 5m use_rule_list_cache: true
Adjust the values, if necessary.
-
The object
filters
has a new property,safe_search_cache_size
. So replace this:filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m
with this:
filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m
Adjust the values, if necessary.
- DNS Server Check now responds with NODATA message to all non-A neither non-AAAA requests.
- Added support for running a DoH3 server. No configuration changes are required to run it. If there was a DoH server configured, it will start listening for HTTP/3 connections on the same port where it listens for HTTP/2. Make sure that udp/443 is allowed in the iptables configuration on the server.
- The new environment variable
PROFILES_CACHE_PATH
has been added. Its default value is./profilecache.json
. Adjust the value, if necessary.
-
The property
server
ofupstream
object has been changed. Now it is a URL optionally starting withtcp://
orudp://
, and then an address inip:port
format.upstream: server: 'tcp://8.8.8.8:53'
Adjust the value, if necessary.
-
The new optional field
static_content.*.allow_origin
has been added:static_content: '/favicon.ico': allow_origin: '*'
-
The new optional object
additional_metrics_info
has been added:additional_metrics_info: test_key: 'test_value'
-
The new object
upstream.healthcheck
now contains all healthcheck-related fields, including the new fielddomain_template
. Propertyupstream.healthcheck_backoff_time
has been moved toupstream.healthcheck.backoff_duration
. So replace this:upstream: server: 127.0.0.1:53 timeout: 2s healthcheck_enabled: true healthcheck_interval: 2s healthcheck_timeout: 1s healthcheck_backoff_time: 30s fallback: - 1.1.1.1:53 - 8.8.8.8:53
with this:
upstream: server: 127.0.0.1:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53 healthcheck: enabled: true interval: 2s timeout: 1s backoff_duration: 30s domain_template: '${RANDOM}.neverssl.com'
Adjust the new value, if necessary.
-
The property
domain
ofcheck
object has been changed todomains
. So replace this:check: domain: "example.com"
with this:
check: domains: - 'example.com' - 'example.org'
Adjust the news values, if necessary.
-
The object
upstream
has new properties,healthcheck_enabled
,healthcheck_interval
,healthcheck_timeout
, andhealthcheck_backoff_time
. So replace this:upstream: server: 127.0.0.9:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53
with this:
upstream: server: 127.0.0.9:53 timeout: 2s healthcheck_enabled: true healthcheck_interval: 2s healthcheck_timeout: 1s healthcheck_backoff_time: 30s fallback: - 1.1.1.1:53 - 8.8.8.8:53
Adjust the new values, if necessary.
- The environment variable
SSLKEYLOGFILE
has been renamed toSSL_KEY_LOG_FILE
.
-
The properties
subnet_key_ip_4_mask_len
andsubnet_key_ip_6_mask_len
of objectratelimit
have been renamed toipv4_subnet_key_len
andipv6_subnet_key_len
correspondingly. So replace this:ratelimit: # … subnet_key_ip_4_mask_len: 24 subnet_key_ip_6_mask_len: 48
with this:
ratelimit: # … ipv4_subnet_key_len: 24 ipv6_subnet_key_len: 48
-
The
ratelimit
object has two new properties,subnet_key_ip_4_mask_len
andsubnet_key_ip_6_mask_len
. So replace this:ratelimit: # …
with this:
ratelimit: # … subnet_key_ip_4_mask_len: 24 subnet_key_ip_6_mask_len: 48
-
The objects within the
filtering_groups
have a new property,block_private_relay
.filtering_groups: - id: default # …
with this:
filtering_groups: - id: default # … block_private_relay: false
The recommended default value is
false
.
-
The objects within
server_groups
array had a change in their DDR configuration. There was an opinion that the previous configuration was too limiting and that denormalized configuration is more self-describing. So replace this:server_groups: - # … ddr_names: - 'dns.example.com' # …
with this:
server_groups: - # … ddr: enabled: true device_records: '*.d.dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - 127.0.0.1 ipv6_hints: - '::1' public_records: 'dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - 127.0.0.1 ipv6_hints: - '::1' # …
Adjust the values, if necessary. Make sure to synchronize and keep in sync the addresses and ports with the values of the server groups' servers.
-
The objects within
server_groups
array have a new propertyddr_names
:server_groups: - # … ddr_names: - 'dns.example.com' # …
It is empty by default. These values will be used for constructing a response for Discovery of Designated Resolvers. Empty value leads to a NODATA response. Adjust the new value, if necessary.
-
The property
tls
of objects within theserver_groups.*.servers.*
array has been moved to theserver_group
object becoming common for the whole group. Any group having at least a single server of DoH/DoT/DoQ protocols will require thetls
property specified. Any group having no encrypted resolvers will require thetls
property absence. So replace this:server_groups: - # … servers: - name: default_dot protocol: tls tls: # … # …
with this:
server_groups: - tls: # … # … servers: - name: default_dot protocol: tls # …
Adjust the new value, if necessary.
-
The object
upstream
has a new property,timeout
. So replace this:upstream: server: 127.0.0.9:53 fallback: - 1.1.1.1:53 - 8.8.8.8:53
with this:
upstream: server: 127.0.0.9:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53
Adjust the new value, if necessary.
-
The new object
connectivity_check
has been added:connectivity_check: probe_ipv4: '8.8.8.8:53' probe_ipv6: '[2001:4860:4860::8888]:53'
-
The object
filters
has a new property,refresh_timeout
. So replace this:filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h
with this:
filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m
Adjust the values, if necessary.
-
The object
cache
has two new properties,type
andecs_size
. So replace this:cache: size: 10000
with this:
cache: type: "simple" size: 10000 ecs_size: 10000
Adjust the values, if necessary.
-
Prometheus metric
dns_tls_handshake_total
has been updated withserver_name
label. This label represents "Server Name Indication" identifiers, grouped by endpoint identifier and known server names. All unknown server names are grouped inother
label:# TYPE dns_tls_handshake_total counter dns_tls_handshake_total{cipher_suite="TLS_AES_128_GCM_SHA256",did_resume="0",negotiated_proto="",proto="tls",server_name="default_dot: other",tls_version="tls1.3"} 4
- The special "disallow-all" response is served on
/robots.txt
requests toweb
module.
-
The property
cache_size
of objectgeoip
has been renamed toip_cache_size
. Also, a new property namedhost_cache_size
has been added. So replace this:geoip: cache_size: 100000 refresh_interval: 1h
with this:
geoip: host_cache_size: 100000 ip_cache_size: 100000 refresh_interval: 1h
Adjust the new value, if necessary.
-
The object
backend
has a new property,bill_stat_interval
. So replace this:backend: timeout: 10s refresh_interval: 15s full_refresh_interval: 24h
with this:
backend: timeout: 10s refresh_interval: 15s full_refresh_interval: 24h bill_stat_interval: 15s
Adjust the value, if necessary.
-
The new required environment variables
GENERAL_SAFE_SEARCH_URL
andYOUTUBE_SAFE_SEARCH_URL
has been added. Those are expected to lead to plain text filters, for example:GENERAL_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/engines_safe_search.txt' YOUTUBE_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/youtube_safe_search.txt'
- The environment variables
CONSUL_DNSCHECK_KV_URL
andCONSUL_DNSCHECK_SESSION_URL
are now unset by default. Which means that by default HTTP key-value database isn't used.
-
The object
web
has a new optional property,linked_ip
:web: linked_ip: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key
-
The objects within the
server_groups.*.servers
array have a new optional property,linked_ip_enabled
. It isfalse
by default. Set totrue
to enable linked IP address detection on that server:server_groups: - # … servers: - name: default_dns protocol: dns linked_ip_enabled: true # …
- Used our fork of miekg/dns library to fix the EDNS0 TCP keep-alive issue.
- Removed the static DNS check
/info.txt
. Now thatweb
module is available, it is no more needed since it can be configured via theweb
module.
-
The object
doh
has been removed. -
The new optional object
web
has been added:web: safe_browsing: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key block_page: /path/to/block_page.html adult_blocking: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key block_page: /path/to/block_page.html non_doh_bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key static_content: '/favicon.ico': content_type: image/x-icon content: base64content root_redirect_url: "https://adguard-dns.com" error_404: /path/to/error_404.html error_500: /path/to/error_500.html timeout: 1m
- The object
geoip
has a new property,cache_size
.
- The environment variable
LOG_OUTPUT
has been removed. Logs are now always written to stdout.
- The environment variable
DNSDB_PATH
is now unset by default. Which means that by default DNSDB is disabled.
- The new optional environment variable
SSLKEYLOGFILE
has been added.
- The object
check
has a new property,node_location
.
-
The property
device_id_wildcard_domains
in the objects within theserver_groups.*.servers
array has been renamed to the shorterdevice_id_wildcards
. -
The DNS names from certificates are not used to detect device IDs and perform additional validations anymore.
- The new required environment variable
BLOCKED_SERVICE_INDEX_URL
has been added. It has no default value, so it's necessary to set it.
-
The objects within the
server_groups.*.servers
array have a new property,tls.device_id_wildcard_domains
. It is an array of domain name wildcards used to detect device IDs. If necessary, add them:server_groups: - # … servers: - name: default_dot # … tls: # … device_id_wildcard_domains: - *.dns.adguard.com
-
The environment variable
CONSUL_URL
has been renamed toCONSUL_ALLOWLIST_URL
. -
The new required environment variables
CONSUL_DNSCHECK_KV_URL
andCONSUL_DNSCHECK_SESSION_URL
are added. They have no default value, so it's necessary to set them. -
The object
check
has a new property,ttl
. Set it to a human-readable duration, for example1m
.
- The property
parental.safe_search
of objects within thefiltering_groups
array is renamed toparental.general_safe_search
to synchronize it with the backend.
-
The object
log
has been removed. Its properties have been moved to the environment. -
The new environment variable
LOG_OUTPUT
has been added. It is the path to the plain text log file. Ifstdout
, writes to standard output. Ifstderr
, writes to standard error.The default value is
stdout
, adjust the value, if necessary. -
The new environment variable
LOG_TIMESTAMP
has been added. When it is set to1
, timestamps are shown in the plain text logs. When set to0
, they are not shown.The default value is
1
, adjust the value, if necessary. -
The environment variable
VERBOSE
doesn't support a set but empty value. Unset the value or replace it with a0
.
-
Another change in the objects within the
filtering_groups
. Before:filtering_groups: - id: default filters: - adguard_dns_filter parental: true block_adult: true safe_browsing: true safe_search: true youtube_safe_search: true
After:
filtering_groups: - id: default parental: enabled: true block_adult: true safe_search: true youtube_safe_search: true rule_lists: enabled: true ids: - adguard_dns_filter safe_browsing: enabled: true
- The object
check
has a new property,node_name
.
-
The objects within the
server_groups.*.servers
array have a new optional property in theirdnscrypt
objects,inline
. Also, the propertyconfig
is renamed toconfig_path
. So replace this:server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: config: './test/dnscrypt.yml' # …
with this:
server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: inline: provider_name: 2.dnscrypt-cert.example.org public_key: F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0 private_key: 5752095FFA56D963569951AFE70FE1690F378D13D8AD6F8054DFAA100907F8B6F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0 resolver_secret: 9E46E79FEB3AB3D45F4EB3EA957DEAF5D9639A0179F1850AFABA7E58F87C74C4 resolver_public: 9327C5E64783E19C339BD6B680A56DB85521CC6E4E0CA5DF5274E2D3CE026C6B es_version: 1 certificate_ttl: 8760h # …
or this:
server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: config_path: './test/dnscrypt.yml' # …
Adjust the values, if necessary.
- The property
server_name
of objectcheck
is removed.
-
The new optional object
doh
has been added, which supplements the DNS-over-HTTP server configuration. Example:doh: root_redirect_url: "https://adguard-dns.com/"
-
The objects within the
server_groups.*.servers
array have a new property,tls.session_keys
. So, if necessary, replace this:server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dot # … tls: certificates: - certificate: ./test/cert.crt key: ./test/cert.key # …
with this:
server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dot # … tls: certificates: - certificate: ./test/cert.crt key: ./test/cert.key session_keys: - ./private/key_1 # …
-
The object
backend
has a new property,full_refresh_interval
. So replace this:backend: timeout: 10s refresh_interval: 1m
with this:
backend: timeout: 10s refresh_interval: 1m full_refresh_interval: 24h
Adjust the value, if necessary.
-
The new object
check
has been added, which configures the DNS checks mechanism. Example:check: domain: "dnscheck.adguard.com" ipv4: - 1.2.3.4 - 5.6.7.8 ipv6: - 1234::cdee - 1234::cdef server_name: "AdGuard DNS Default"
- The new environment variable
RULESTAT_URL
has been added. Its default value is an empty string, which means that no statistics are gathered. Adjust the value, if necessary.
- The new environment variable
DNSDB_PATH
has been added. Its default value is./dnsdb.bolt
. Adjust the value, if necessary.
-
The new required environment variable
CONSUL_URL
has been added. It has no default value, so it's necessary to set it. -
The ratelimit configuration for a server has changed from this:
ratelimit: refuseany: true response_size_limit: 1KB rate_limit_cache_ttl: 10m back_off_cache_ttl: 30m rps: 30 backoff_limit: 1000
to this:
ratelimit: allowlist: list: - '127.0.0.1' - '127.0.0.1/24' refresh_interval: 30s back_off_count: 1000 back_off_duration: 30m back_off_period: 10m refuseany: true response_size_estimate: 1KB rps: 30
See README.md for documentation.
- The property
backend
of thequery_log
object is removed.
-
The new required environment variable
FILTER_INDEX_URL
has been added. It has no default value, so it's necessary to set it. -
The environment variable
BACKEND_ENDPOINT
is now required and has no default value. -
Property
lists
of thefilters
object is removed. -
A new property
refresh_interval
has been added to thefilters
object.
-
The new environment variable
FILTER_CACHE_PATH
has been added. Its default value is./filters/
. Adjust the value, if necessary. -
The
list
property ofsafe_browsing
andadult_blocking
objects as well as thepath
property of thefilters.lists
objects are removed. -
Property
url
of thefilters.lists
objects is now required.
-
The type of the
cache.size
property was changed from bytes to integer. So replace this:cache: size: 50KB
with this:
cache: size: 10000
Set the new values accordingly.
-
The top-level object
parental
was renamed toadult_blocking
. -
The objects
safe_browsing
andadult_blocking
have four new properties,cache_size
,cache_ttl
,refresh_interval
, andurl
. So replace this:safe_browsing: block_host: standard-block.dns.adguard.com list: ./test/safe_browsing.txt adult_blocking: block_host: family-block.dns.adguard.com list: ./test/parental.txt
with this:
safe_browsing: url: https://static.example.com/safe_browsing.txt block_host: standard-block.dns.adguard.com cache_size: 1024 cache_ttl: 1h list: ./test/safe_browsing.txt refresh_interval: 1h adult_blocking: url: https://static.example.com/adult_blocking.txt block_host: family-block.dns.adguard.com cache_size: 1024 cache_ttl: 1h list: ./test/parental.txt refresh_interval: 1h
Set the new values accordingly.
-
The objects within the
filtering_groups
array have a new property,block_adult
. So replace this:filtering_groups: - id: default filters: - adguard_dns_filter parental: false safe_browsing: true safe_search: false youtube_safe_search: false # …
with this:
filtering_groups: - id: default filters: - adguard_dns_filter parental: false block_adult: false safe_browsing: true safe_search: false youtube_safe_search: false # …
Set the new value accordingly.
-
The objects within the
filters.lists
array have a new property,refresh_interval
. The property is only required when the propertyurl
is also set. So replace this:filters: # … lists: - id: adguard_dns_filter url: 'https://example.com/adguard_dns_filter.txt' path: ./test/filters/adguard_dns_filter.txt - id: peter_lowe_list path: ./test/filters/peter_lowe_list.txt
with this:
filters: # … lists: - id: adguard_dns_filter url: 'https://example.com/adguard_dns_filter.txt' path: ./test/filters/adguard_dns_filter.txt refresh_interval: 1h - id: peter_lowe_list path: ./test/filters/peter_lowe_list.txt
Set the new value accordingly.
-
The property
youtube_restricted
was renamed toyoutube_safe_search
. So replace this:filtering_groups: - id: default # … youtube_restricted: false - id: strict # … youtube_restricted: true
with this:
filtering_groups: - id: default # … youtube_safe_search: false - id: strict # … youtube_safe_search: true
-
The blocked response TTL parameter has been moved and renamed. From this:
dns: blocked_response_ttl: 10s
to this:
filters: response_ttl: 10s
The
dns
object has been completely removed.
-
The TLS configuration for a server has changed from this:
tls: certificates: - certificate: /test/cert.crt key: /test/cert.key domains: - dns.adguard.com
to this:
tls: certificates: - certificate: /test/cert.crt key: /test/cert.key
The domains to be used in device ID detection are now expected to be contained in the certificate's DNS Names section of SAN.
-
The filtering configuration has changed from this:
filters: - id: adguard_dns_filter path: ./tmp.dir/filter.txt
to this:
filters: custom_filter_cache_size: 1024 lists: - id: adguard_dns_filter path: ./tmp.dir/filter.txt