2.1.16

Version 2.1.16

• Dashboard HTML pages are no longer cached, preventing stale content from being served after upgrades.
• The IP allow/block plugins now support CIDR ranges in addition to single addresses and prefix matching.
• Forwarding rules now support $RESOLVCONF:<file> to pick up upstream resolvers from a resolv.conf-style file, complementing the existing $DHCP syntax.
• Recursive cloaking rules are now rejected at load time instead of being detected only when a matching query arrives.
• Servers that hit a transient high RTT could previously stay penalized forever and never come back into rotation; their RTT estimate now decays so they can recover.
• Servers are no longer penalized for slow responses when the response is actually being served from the stale cache.
• HTTP/3 probing now consults a negative cache before retrying, avoiding repeated probes against servers known not to support it.
• The HTTP transport now handles Alt-Svc: clear properly and reuses HTTP connections more aggressively.
• The cache TTL is now an explicit, configurable parameter rather than being derived implicitly.
• Log entries now include the relay name when a query was sent through an anonymized DNS or ODoH relay.
• A new tls_prefer_rsa option has been added to prefer RSA cipher suites during the TLS handshake, useful on systems without hardware AES.
• The tls_cipher_suite option is now a no-op. Modern TLS stacks no longer expose cipher suite selection in a meaningful way, and the option had become misleading.
• The -resolve command now reports incomplete DNSSEC support instead of silently treating partial signatures as a success.
• ODoH: the 401 key-refresh path has been hardened against panics, races and bad server state, refreshes are now coalesced, and the blocking sleep on refresh has been removed.
• A log size of 0 no longer means "unlimited"; it now correctly disables rotation by size.
• • jsdelivr is now offered as an alternative source URL for resolver lists, providing more redundancy when the primary mirrors are unreachable.
• The miekg/dns library has been updated to the v2 series.

2.1.15

New public DNS monitoring website: https://status.dnscrypt.info -- Check it out!

Version 2.1.15

• The proxy now dynamically reduces timeouts as the connection limit is approached, improving performance and preventing connection exhaustion under heavy load.
• Fixed crashes in the configuration file watcher when fsnotify creation fails.
• DHCP resolver errors ($DHCP forwarding) are now properly logged and visible to system administrators.
• Fixed double-bracketing of IPv6 addresses in DoH stamps that could prevent proper connection to IPv6 DoH servers.
• Cache statistics are now more accurate by only counting queries that actually participate in caching.
• The monitoring UI has been enhanced with server health indicators and improved display of resolver performance metrics.
• Proxy hostnames (when using SOCKS/HTTP proxies) are now pre-resolved using bootstrap resolvers if they are domain names.
• Multiple IP addresses per hostname are now cached instead of randomly selecting one, improving connection reliability for multi-homed servers.

2.1.14

Version 2.1.14

• Added support for client IP address encryption in logs using IPCrypt. Three algorithms are supported: deterministic, non-deterministic with 8-byte tweak, and extended non-deterministic with 16-byte tweak.
• Enhanced pattern rule documentation with better examples.
• Fixed an issue where nil client addresses could cause crashes.

2.1.13

Version 2.1.13

• Fixed race conditions in WebSocket handling for the monitoring dashboard, improving stability and preventing potential crashes.
• Manual configuration reload via SIGHUP is now supported regardless of the hot-reload setting, providing more flexibility for system administrators.
• Fixed a regression in IP prefix matching for allow/block lists that could cause incorrect filtering behavior.
• The monitoring dashboard now properly displays blocked queries counter and tracks blocked queries in the UI.
• Improved error handling in the cache plugin initialization.
• Enhanced the forward plugin to return the last valid response when encountering only errors, improving resilience.
• Fixed various UI issues including scrolling behavior, WebSocket reconnection handling, and response time calculations.
• Updated the example configuration with current Quad9 source URLs.
• The generate-domains-blocklist script now handles poor network conditions more gracefully.
• Improved handling of DNS64 trampoline queries to prevent potential issues.

MacOS binaries are going to be built later.

2.1.12

• A new Weighted Power of Two (wp2) load balancing strategy has been implemented as the default, providing improved distribution across resolvers.
• An optional Prometheus metrics endpoint has been added for monitoring and observability.
• Memory usage for the cache has been reduced.
• The monitoring dashboard has received significant improvements including better security, performance optimizations, WebSocket rate limiting, and HTTP caching headers.
• The monitoring UI has been refined with stable sorting to prevent flickering, query type limitations, and improved scrolling behavior.
• Additional records in queries are now properly removed before forwarding.
• The simple view UI has been removed as it provided limited utility.

2.1.11

Updated a dependency to fix a bug causing the cache to crash.

Release 2.1.10

This is a massive release with significant improvements.

• A live web-based monitoring UI has been added, allowing you to monitor DNS query activity and performance metrics through an interactive dashboard.
• Hot-reloading of configuration files has been implemented, allowing you to modify filtering rules and other configurations without restarting the proxy. Simply edit a configuration file (like blocked-names.txt) and changes are applied instantaneously.
• HTTP/3 probing is now supported via the http3_probe option, which will try HTTP/3 first for DoH servers, even if they don't advertise support via Alt-Svc.
• Several race conditions have been fixed.
• Dependencies have been updated.
• DHCP DNS detector instances have been reduced to improve performance.
• Tor isolation for dnscrypt-proxy has been documented to enhance privacy.
• The default example configuration file has been improved for clarity and usability.
• The cache lock contention has been reduced to improve performance under high load.
• generate-domains-blocklist: added parallel downloading of block lists for significantly improved performance.

Release 2.1.9

This is a massive release with significant improvements.

• A live web-based monitoring UI has been added, allowing you to monitor DNS query activity and performance metrics through an interactive dashboard.
• Hot-reloading of configuration files has been implemented, allowing you to modify filtering rules and other configurations without restarting the proxy. Simply edit a configuration file (like blocked-names.txt) and changes are applied instantaneously.
• HTTP/3 probing is now supported via the http3_probe option, which will try HTTP/3 first for DoH servers, even if they don't advertise support via Alt-Svc.
• Several race conditions have been fixed.
• Dependencies have been updated.
• DHCP DNS detector instances have been reduced to improve performance.
• Tor isolation for dnscrypt-proxy has been documented to enhance privacy.
• The default example configuration file has been improved for clarity and usability.
• The cache lock contention has been reduced to improve performance under high load.
• generate-domains-blocklist: added parallel downloading of block lists for significantly improved performance.

Release 2.1.8

Version 2.1.8

• Dependencies have been updated, notably the QUIC implementation, which could be vulnerable to denial-of-service attacks.
• In forwarding rules, the target can now optionally include a non-standard DNS port number. The port number is also now optional when using IPv6.
• An annoying log message related to permissions on Windows has been suppressed.
• Resolver IP addresses can now be refreshed more frequently. Additionally, jitter has been introduced to prevent all resolvers from being refreshed simultaneously. Further changes have been implemented to mitigate issues arising from multiple concurrent attempts to resolve a resolver's IP address.
• An empty value for "tls_cipher_suite" is now equivalent to leaving the property undefined. Previously, it disabled all TLS cipher suites, which had little practical justification.
• In forwarding rules, an optional *. prefix is now accepted.

Release 2.1.7

• This version reintroduces support for XSalsa20 enryption in DNSCrypt, which was removed in 2.1.6. Unfortunately, a bunch of servers still only support that encryption system.
• A check for lying resolvers was added for DNSCrypt, similar to the one that was already present for DoH and ODoH.
• Binary packages for Windows/ARM are now available, albeit not in MSI format yet.