AdGuard Home 0.107.19
您可能發現自己使用社群媒體“過量”了，但現代人難以遠離社群媒體。好吧，我們難以遠離它們，但感謝 @sandervankasteel ，現在“逃離”社群媒體可以成為生活的一部分了：AdGuard Home 可以封鎖流行 Mastodon 實例。休息一下，別再刷網頁了，留一部分有意義的時間獨處、閱讀和成長吧！
--update命令行。現在，一鍵就可以更新 AdGuard Home。
AdGuard Home 0.107.17
Despite this release appearing around Halloween, it shouldn't be spooky at all. The main novelty is that the list of services blockable with a single click is now synchronized with AdGuard DNS to make the user experience more unified across AdGuard services. We've also improved support for HTTP/3 as well as fixed a few annoying bugs.
AdGuard Home 0.107.16
This is a security release. There are no new changes besides the update of the Go programming language version. More substantial changes are to come in the subsequent updates.
AdGuard Home 0.107.15
Sometimes, even a hotfix needs a hotfix. In the previous release, our mitigations turned out to be too restrictive, preventing some AdGuard Home features from working properly. In this release, we fix this along with a few other bugs.
We have also added experimental support for the HTTP/3 standard in the UI, DNS upstreams, and DNS clients!
As an additional CSRF protection measure, AdGuard Home now ensures that requests that change its state but have no body (such as
POST /control/stats_reset requests) do not have a
Content-Type header set on them #4970.
Experimental HTTP/3 Support
See #3955 and the related issues for more details. These features are still experimental and may break or change in the future.
DNS-over-HTTP/3 DNS and web UI client request support. This feature must be explicitly enabled by setting the new property
dns.serve_http3in the configuration file to
DNS-over-HTTP upstreams can now upgrade to HTTP/3 if the new configuration file property
dns.use_http3_upstreamsis set to
Upstreams with forced DNS-over-HTTP/3 and no fallback to prior HTTP versions using the
only application/json is allowederrors in various APIs #4970.
AdGuard Home 0.107.14
This is a security release. Users are encouraged to update AdGuard Home as soon as possible.
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered. The CVE number is to be assigned. We thank Daniel Elkabes from Mend for reporting this vulnerability to us.
SameSitepolicy on the AdGuard Home session cookies has been upgraded to
Lax. Which means that the only cross-site HTTP request for which the browser is allowed to send the session cookie is navigating to the AdGuard Home domain.
Users are strongly advised to log out, clear browser cache, and log in again after updating.
Removal Of Plain-Text APIs (BREAKING API CHANGE)
We have implemented several measures to prevent such vulnerabilities in the future, but some of these measures break backwards compatibility for the sake of better protection.
The following APIs, which previously accepted or returned
text/plaindata, now accept or return data as JSON. All new formats for the request and response bodies are documented in
Content-TypeChecks (BREAKING API CHANGE)
All JSON APIs now check if the request actually has
Other Security Changes
AdGuard Home 0.107.13
In this hotfix release with the “lucky” patch number we have fixed a couple of issues that prevented some DHCP clients from receiving their assigned IP addresses. We've also added the new
dns.ipset_filesetting, which should help users who maintain large
ipsets, for example to use in firewall or VPN settings.
The new optional
dns.ipset_fileproperty, which can be set in the configuration file. It allows loading the
ipsetlist from a file, just like
dns.upstream_dns_filedoes for upstream servers #4686.
The minimum DHCP message size is reassigned back to BOOTP's constraint of 300 bytes #4904.
Panic when adding a static lease within the disabled DHCP server #4722.
AdGuard Home 0.107.12
What better way is there to celebrate the coming of autumn than a patch release? In this new version, we have extended and significantly improved AdGuard Home's built-in DHCP server (fixing many bugs in the process) as well as improved our service blocking feature, thanks to many contributions from the community. As always, we have also updated our tooling to make sure that we use the latest versions without any known security issues.
delDHCP option which removes the corresponding option from server's response #4337. See also a Wiki page.
NOTE: This modifier affects all the parameters in the response and not only the requested ones.
A new HTTP API,
GET /control/blocked_services/services, that lists all available blocked services #4535.
The DHCP options handling is now closer to the [RFC 2131][rfc-2131] (#4705).
When the DHCP server is enabled, queries for domain names under
dhcp.local_domain_namenot pointing to real DHCP client hostnames are now processed by filters (#4865).
The internal DNS client, used to resolve hostnames of external clients and also during automatic updates, now respects the upstream mode settings for the main DNS client #4403.
Ports 784 and 8853 for DNS-over-QUIC in Docker images. Users who still serve DoQ on these ports are encouraged to move to the standard port 853. These ports will be removed from the
EXPOSEsection of our
Dockerfilein a future release.
Go 1.18 support. Future versions will require at least Go 1.19 to build.
Dynamic leases created with empty hostnames #4745.
Unnecessary logging of non-critical statistics errors #4850.
AdGuard Home 0.107.11
This hot summer is approaching its end, but hotfixes are still coming in! In this release, we have fixed configuration file migrations not working for people with AdGuard Home versions older than v0.107.7, as well as made a few minor improvements.
AdGuard Home 0.107.10
In this new release, we add support for the new Discovery of Designated Resolvers DDR feature, which allows clients using plain DNS to automatically switch to secure protocols. As well as an Arabic localization and fixes for a couple of rather annoying bugs.
Our snap package now uses the
core22 image as its base #4843.
DHCP not working on most OSs #4836.
invalid argumenterrors during update checks on older Linux kernels #4670.
AdGuard Home 0.107.9
Although not a lot of time has passed since the last release, this new one contains a security update, a new feature, a new platform, and some minor fixes :wrench:. It's always nice to have those!
Go version was updated to prevent the possibility of exploiting the CVE-2022-32189 Go vulnerability fixed in Go 1.18.5. Go 1.17 support has also been removed, as it has reached end of life and will not receive security updates.
Domain-specific upstream servers test. If such test fails, a warning message is shown #4517.
windows/arm64 support #3057.
UI and update links have been changed to make them more resistant to DNS blocking.
Go 1.17 support, as it has reached end of life.
AdGuard Home 0.107.8
CVE-2022-30631和其他在 [Go 1.17.12] 中修復的 Go 漏洞的可能性(https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE)。
AdGuard Home 0.107.7
這個夏季我們給大家帶來了 AdGuard Home 的新版本！
等待已久的 DNS-over-QUIC 協定終於改進了，成為了正式標準版本，支持 RFC 9250。這次更新，我們以向下相容的方式新增了正式版本的支持。
188.8.131.52的 DNS 伺服器解析，但是把
說到上遊，現在使用者無須記得無加密 DNS 上遊的 IP 位址。Bootstrap 伺服器就能夠解析它們，您就可以使用新的
udp://one.one.one.one # Same as 184.108.40.206.
來自客戶請求的 EDNS 客戶端子網資訊現顯示於查詢記錄頁上。
在查詢記錄的請求細節部分的 EDNS 客戶端子網資訊 #3978.
udp://方案的普通 UDP上遊伺服器的主機名 #4166.
現在，在 FreeBSD 和 OpenBSD 上，當 AdGuard Home 以服務形式安裝時，預設收集記錄#4213.
在 OpenBSD 上，daemon 腳本現在使用推薦的
AdGuardHome -s uninstall && AdGuardHome -s install。
反向 DNS 現在作為執行時期客戶的資訊來源，比 ARP 具有更大的優先權。
通過更有彈性的 ARP 處理，改進對正在運行的客戶的檢測#3597.
從樂觀快取提供的響應的 TTL 現在被降低到 10 秒。
特定網域的私有反向 DNS 上遊伺服器現在被驗證為只允許
SOURCE_DATE_EPOCH][repr] 來添加構建二進制檔案的提交日期 #4221 。 這應該可以簡化軟體包維護者和那些編譯自己的 AdGuard Home 的人的可重復構建過程。
dns.bogus_nxdomain屬性現在支持 CIDR 符號和 IP 位址#1730.
在這個版本中，模式的版本已經從 12 變成了 14。
clients，在模式 13 和更早的版本中是一個實際持久性客戶的數組，現在是由
# BEFORE: 'clients': - name: client-name # … # AFTER: 'clients': 'persistent': - name: client-name # … 'runtime_sources': whois: true arp: true rdns: true dhcp: true hosts: true
local_domain_name，在模式 12 和更早的版本中曾經是
# BEFORE: 'dns': # … 'local_domain_name': 'lan' # AFTER: 'dhcp': # … 'local_domain_name': 'lan'
--no-etc-hosts選項。 它的功能現在由 "clients.runtime_sources.hosts" 配置屬性控制。
AdGuard Home 0.107.6
This is a small security-oriented update. This AdGuard Home version requires Go v1.17 and later to build, because older Go versions receive no further support, including security patches.
Aside from that, we've slightly updated
$dnsrewritemodifier to support the user-defined Discovery of Designated Resolvers (DDR). We are planning on continuing to make more improvements to it in the future updates, see #4463.
The rest are minor changes and ever-present bugfixes.
User-AgentHTTP header removed from outgoing DNS-over-HTTPS requests.
Go version was updated to prevent the possibility of exploiting the CVE-2022-24675, CVE-2022-27536, and CVE-2022-28327 vulnerabilities.
Filtering rules with the
dnsrewrite modifier that create SVCB or HTTPS responses should use
ech instead of
echconfig to conform with the latest drafts.
SVCB/HTTPS parameter name
echconfigin filtering rules with the
echinstead. v0.109.0 will remove support for the outdated name
--no-mem-optimization option #4437. v0.109.0 will remove the flag completely.
I/O timeout errors when checking for the presence of another DHCP server.
Network interfaces being incorrectly labeled as down during installation.
Rules for blocking the QQ service #3717.
Go 1.16 support, since that branch of the Go compiler has reached end of life and doesn't receive security updates anymore.
AdGuard Home 0.107.5
This is a security release. There are no new changes besides the update of the Go programming language version.
More substantial changes are to come in the subsequent updates.
AdGuard Home 0.107.4
A small update to fix a couple bugs and shore up some Go vulnerabilities.
More substantial changes are to come in the subsequent updates.
Minor UI improvements.
AdGuard Home 0.107.3
This version contains bug fixes and cleanups 🧹. Also, there is a new minor feature: now you can rewrite responses for domains using the response code
NOERROR. Similar rules will allow to get a successful response without records, e.g.:
Support for a
$dnsrewritemodifier with an empty
Wrong set of ports checked for duplicates during the initial setup #4095.
Incorrectly invalidated service domains #4120.
Poor testing of domain-specific upstream servers #4074.
Omitted aliases of hosts specified by another line within the OS's hosts file #4079.
AdGuard Home 0.107.2
You know, it is very hard to break your bad habits. We're still struggling with one, the overwhelming need to roll out hotfixes to AdGuard Home releases 😢
Now this one is a hotfix release for a really critical CPU overconsumption bug in v0.107.1.
Please update asap and with this, we wish you happy holidays!🎄
Infinite loops when TCP connections time out (#4042).
AdGuard Home 0.107.1
In a not-futile-at-all-we-swear 😅 attempt to fix all bugs before the New Year we're rolling out a hotfix to the recent v0.107.0. Hopefully, this time we got it all right. And if not, there are still a couple of sheets left on the calendar 📆 and the mug is still half-full with lukewarm coffee ☕
A special thanks to our open-source contributors: @Aikatsui and @mdawsonuk, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!
The validation error message for duplicated allow- and blocklists in DNS settings now shows the duplicated elements (#3975).
ipsetinitialization bugs (#4027).
Legacy DNS rewrites from a wildcard pattern to a subdomain (#4016).
Service not being stopped before running the
uninstallservice action (#3868).
reloadservice action on FreeBSD.
Legacy DNS rewrites responding from upstream when a request other than
AAAAis received (#4008).
Panic on port availability check during installation (#3987).
Incorrect application of rules from the OS's hosts files (#3998).
AdGuard Home 0.107.0
We've had some big AdGuard Home updates in the past, but this one is to top them all. It's been brewing for almost eight months! 🙀 So no wonder there's heaps upon heaps of new features, improvements, bugfixes, and other changes. We'd better start listing them ASAP, or else we'll be risking missing the New Year's fireworks 🎆 🥂
Native Apple Silicon support
There's no shortage of killer features in this changelog, but this one takes the cake as the biggest of them all, without any doubt. You won't have to resort to Rosetta or any such solutions anymore if you want to configure AdGuard Home on a Mac with a Silicon chip.
RFC 9000 support In DNS-over-QUIC
It's not quite over nine thousand, but it'll do. The IETF has formalized QUIC this year with RFC 9000, and DNS-over-QUIC protocol finally supports it. If you haven't tried DoQ yet, consider this a sign.
$dnsrewrite rules and other DNS rewrites will now be applied even when protection is disabled (#1558)
Another popular demand. This change only makes sense, as DNS rewrites often carry a different purpose than simply blocking ads or trackers. You still can disable them by opening the admin panel, going to Settings → General settings, and removing the check mark from the Block domains using filters and hosts files box.
Note: rules contained in system hosts files (e.g.
/etc/hosts) now have higher priority. This may result in more rewrites appearing in your Query log. If some of these rewrites are invalid, remove the corresponding lines from your hosts files or comment them out.
DNS-over-HTTPS queries now use the real IP address of the client instead of the address of the proxy (#2799)
Note that this change concerns only those proxies that you've added to the list of "Trusted proxies", otherwise it would be a major security risk. We wouldn't want anything of that sort to happen to you! 🙅♀️ Right now
trusted_proxiescan only be configured in
AdGuardHome.yaml, but that might change in the future.
Optimistic DNS cache (#2145)
To reduce latency you may make AdGuard Home respond from the cache even when the stored entry is expired, while trying to refresh them at the same time🔄 This checkbox is located in Settings → DNS settings → DNS cache configuration and it's not ticked by default. Responses made from DNS cache are marked with a special label in the Query log.
Query log search now supports internationalized domains (#3012)
Internationalized domain names (IDNAs) are domain names that contain symbols in non-Latin script/alphabet, such as
ουτοπία.δπθ.gr, for example. Previously, they were being converted to Unicode in AG Home Query log (
xn--kxae4bafwg.xn--pxaix.grin our examples), which is a detriment in most cases. Now IDNAs are displayed as is, and you can search for them without resorting to Unicode.
A special thanks to our open-source contributors: @Aikatsui, @anbraten, @bruvv, @DandelionSprout, @fvdm, @hnefatl, @markhicken, @p27877, and @systemcrash, as well as to everyone who filed and inspected issues, added translations, and helped us test this release! 🙏
Upstream server information for responses from cache (#3772). Note that old log entries concerning cached responses won't include that information.
Finnish and Ukrainian translations.
Setting the timeout for IP address pinging in the "Fastest IP address" mode through the new
fastest_timeoutfield in the configuration file (#1992).
Static IP address detection on FreeBSD (#3289).
Optimistic cache (#2145).
New possible value of
Blocking access using client IDs (#2624, #3162).
sourcedirectives support in
/etc/network/interfaceson Linux (#3257).
RFC 9000 support in DNS-over-QUIC.
Completely disabling statistics by setting the statistics interval to zero (#2141).
The ability to completely purge DHCP leases (#1691).
Settable timeouts for querying the upstream servers (#2280).
Configuration file parameters to change group and user ID on startup on Unix (#2763).
Experimental OpenBSD support for AMD64 and 64-bit ARM CPUs (#2439, #3225, #3226).
Support for custom port in DNS-over-HTTPS profiles for Apple's devices (#3172).
Output of the default addresses of the upstreams used for resolving PTRs for private addresses (#3136).
Detection and handling of recurrent PTR requests for locally-served addresses (#3185).
The ability to completely disable reverse DNS resolving of IPs from locally-served networks (#3184).
--local-frontendto serve dynamically changeable frontend files from disk as opposed to the ones that were compiled into the binary.
Port bindings are now checked for uniqueness (#3835).
The DNSSEC check now simply checks against the AD flag in the response (#3904).
Client objects in the configuration file are now sorted (#3933).
Responses from cache are now labeled (#3772).
Better error message for ED25519 private keys, which are not widely supported (#3737).
Cache now follows RFC more closely for negative answers (#3707).
$dnsrewriterules and other DNS rewrites will now be applied even when the protection is disabled (#1558).
DHCP gateway address, subnet mask, IP address range, and leases validations (#3529).
systemdservice script will now create the
/var/logdirectory when it doesn't exist (#3579).
Items in allowed clients, disallowed clients, and blocked hosts lists are now required to be unique (#3419).
The TLS private key previously saved as a string isn't shown in API responses anymore (#1898).
Better OpenWrt detection (#3435).
DNS-over-HTTPS queries that come from HTTP proxies in the
trusted_proxieslist now use the real IP address of the client instead of the address of the proxy (#2799).
Clients who are blocked by access settings now receive a
REFUSEDresponse when a protocol other than DNS-over-UDP and DNSCrypt is used.
querylog_intervalsetting is now formatted in hours.
Query log search now supports internationalized domains (#3012).
Internationalized domains are now shown decoded in the query log with the original encoded version shown in request details (#3013).
When /etc/hosts-type rules have several IPs for one host, all IPs are now returned instead of only the first one (#1381).
rlimit_nofileis now in the
osblock of the configuration file, together with the new
Permissions on filter files are now
In this release, the schema version has changed from
dns.querylog_interval, which in schema versions 11 and earlier used to be an integer number of days, is now a string with a human-readable duration:
# BEFORE: 'dns': # … 'querylog_interval': 90 # AFTER: 'dns': # … 'querylog_interval': '2160h'
To rollback this change, convert the parameter back into days and change the
rlimit_nofile, which in schema versions 10 and earlier used to be on the top level, is now moved to the new
# BEFORE: 'rlimit_nofile': 42 # AFTER: 'os': 'group': '' 'rlimit_nofile': 42 'user': ''
To rollback this change, move the parameter on the top level and change the
Go 1.16 support. v0.108.0 will require at least Go 1.17 to build.
EDNS0 TCP keepalive option handling (#3778).
Rules with the
$denyallowmodifier applying to IP addresses when they shouldn't (#3175).
The length of the EDNS0 client subnet option appearing too long for some upstream servers (#3887).
Invalid redirection to the HTTPS web interface after saving enabled encryption settings (#3558).
Incomplete propagation of the client's IP anonymization setting to the statistics (#3890).
$dnsrewriteresults for entries from the operating system's hosts file (#3815).
Matching against rules with
|at the end of the domain name (#3371).
Incorrect assignment of explicitly configured DHCP options (#3744).
Occasional panic during shutdown (#3655).
Addition of IPs into only one as opposed to all matching ipsets on Linux (#3638).
Removal of temporary filter files (#3567).
Panic when an upstream server responds with an empty question section (#3551).
9GAG blocking (#3564).
DHCP now follows RFCs more closely when it comes to response sending and option selection (#3443, #3538).
Occasional panics when reading old statistics databases (#3506).
reloadservice action on macOS and FreeBSD (#3457).
Inaccurate using of service actions in the installation script (#3450).
Client ID checking (#3437).
Discovering other DHCP servers on
Switching listening address to unspecified one when bound to a single specified IPv4 address on Darwin (macOS) (#2807).
Incomplete HTTP response for static IP address.
DNSCrypt queries weren't appearing in query log (#3372).
Wrong IP address for proxied DNS-over-HTTPS queries (#2799).
Domain name letter case mismatches in DNS rewrites (#3351).
Conflicts between IPv4 and IPv6 DNS rewrites (#3343).
Letter case mismatches in
Occasional breakages on network errors with DNS-over-HTTP upstreams (#3217).
Errors when setting static IP on Linux (#3257).
Treatment of domain names and FQDNs in custom rules with
$dnsrewritethat use the
Redundant hostname generating while loading static leases with empty hostname (#3166).
Domain name case in responses (#3194).
Custom upstreams selection for clients with client IDs in DNS-over-TLS and DNS-over-HTTP (#3186).
Incorrect client-based filtering applying logic (#2875).
Go 1.15 support.
AdGuard Home 0.106.3
More! More bugfixes! 🧟♀️
But this time, for a change, there's a couple of new minor features to go with them. Hope you don't mind 🤷♂️
A special thanks to our open-source contributor, @ashishwt, as well as to everyone who filed and inspected issues, added translations, and helped us to test this release!
Support for reinstall (
-r) and uninstall (
-u) flags in the installation script #2462.
Support for DHCP
RELEASEmessage types #3053.
Add microseconds to log output.
Intermittent "Warning: ID mismatch" errors #3087.
Error when using installation script on some ARMv7 devices #2542.
Local PTR request recursion in Docker containers #3064.
Ignoring client-specific filtering settings when filtering is disabled in general settings #2875.
Disallowed domains are now case-insensitive #3115.
Other minor fixes and improvements.
AdGuard Home 0.106.2
It's not Friday? Not a problem! We defy the tradition of Friday hotfixes by rushing another one out a day earlier 🙌
A special thanks to our open-source contributor, @jankais3r, as well as to everyone who filed issues, added translations, and helped us to test this release!
AdGuard Home 0.106.1
We had a release a couple days ago. You all knew it would come to this. 🦸
It's hotfix time! 🔥
Nothing serious though, we didn't even break anything. Just cleaning up some minor bugs. 🧹
AdGuard Home 0.106.0
Quite a lot of changes this time around, even if there aren't as many standouts as in some of the previous updates. We're sure that you'll be able to find a line or two in the changelog that speaks to you!
And one of the reasons for that is the constant support from the community. 👥👥 Special thanks to our open-source contributors: @jvoisin and @Paraphraser, as well as to everyone who filed issues, added translations, and helped us to test this release! 🙇
The ability to set up custom upstreams to resolve PTR queries for local addresses and to disable the automatic resolving of clients' addresses #2704
This option will improve your DNS privacy when it comes to addressing local resources. Give it a go unless you want to share your private data with googles of the world.
Search by clients' names in the query log #1273
There's not much that can be said about this feature, it's quite self-explanatory: now you can search up queries by specific clients. 🤷♀️
However, we wanted to highlight it anyway since so many of you have asked for it for quite a while. Hopefully, we delivered! 😅
The ability to block user for login after configurable number of unsuccessful attempts for configurable time #2826.
$denyallowmodifier for filters #2923.
Hostname uniqueness validation in the DHCP server #2952.
Hostname generating for DHCP clients which don't provide their own #2723.
--no-etc-hoststo disable client domain name lookups in the operating system's /etc/hosts files #1947.
Logging of the client's IP address after failed login attempts #2824.
Verbose version output with
The ability to serve DNS queries on multiple hosts and interfaces #1401.
textDHCP server options #2385.
SRVrecords support in
Quality of logging #2954.
The access to the private hosts is now forbidden for users from external networks #2889.
The reverse lookup for local addresses is now performed via local resolvers #2704.
Stricter validation of the IP addresses of static leases in the DHCP server with regards to the netmask #2838.
Stricter validation of
$dnsrewritefilter modifier parameters #2498.
New, more correct versioning scheme #2412.
Go 1.15 support. v0.107.0 will require at least Go 1.16 to build.
Multiple answers for
$dnsrewriterule matching requests with repeating patterns in it #2981.
Root server resolving when custom upstreams for hosts are specified #2994.
Inconsistent resolving of DHCP clients when the DHCP server is disabled #2934.
Comment handling in clients' custom upstreams #2947.
Overwriting of DHCPv4 options when using the HTTP API #2927.
Assumption that MAC addresses always have the length of 6 octets #2828.
Support for more than one
/24subnet in DHCP #2541.
Invalid filenames in the
mobileconfigAPI responses #2835.
Go 1.14 support.
AdGuard Home 0.105.2
There are big flashy updates, and there are seemingly unassuming ones, which constitute, however, the backbone of any successful project. This is the latter, as you may have guessed. You'll find here a heap of bugfixes and a security update for CVE-2021-27935.
Session token doesn't contain user's information anymore (#2470).
Incomplete hostnames with trailing zero-bytes handling (#2582).
Wrong DNS-over-TLS ALPN configuration (#2681).
Inconsistent responses for messages with EDNS0 and AD when DNS caching is enabled (#2600).
Incomplete OpenWrt detection (#2757).
expiredfield incorrect time format (#2692).
Incomplete DNS upstreams validation (#2674).
Wrong parsing of DHCP options of the
AdGuard Home v0.105.1
Have you ever thought about why traditions are so important?🧙♂️ Traditions help us remember that we are part of a history that defines our past, shapes who we are today, and who we are likely to become. This is why we at AdGuard respect our traditions, and the most important one is pushing the inevitable hotfix right after every major update.🔥🔧
Jokes aside, here's the list of things fixed and improved in this hotfix.
"Permission denied" errors when checking if the machine has a static IP no longer prevent the DHCP server from starting (#2667).
The server name sent by clients of TLS APIs is not only checked when
strict_sni_checkis enabled (#2664).
Error when enabling the DHCP server when AdGuard Home couldn't determine if the machine has a static IP.
Optical issue on custom rules (#2641).
Occasional crashes during startup.
GET /control/dhcp/statusHTTP API response is now correctly named again (#2678).
ra_allow_slaacsettings aren't reset to
falseon update any more (#2653).
Varyheader is now added along with
Access-Control-Allow-Originto prevent cache-related and other issues in browsers (#2658).
The request body size limit is now set for HTTPS requests as well.
Incorrect version tag in the Docker release (#2663).
DNSCrypt queries weren't marked as such in logs (#2662).
AdGuard Home 0.105.0
We took our sweet time with this update, but you'll most certainly find it to be worth the wait. The changelog contains three absolute 💥bangers and a laundry list of lesser changes.
🕵️♂️ Client ID support for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS #1387
This feature would be really useful to those of you who run an encrypted DNS resolver on a public server. In short, you can now identify your devices not just by their IP address (which is, frankly, not too useful in a public server scenario 🤷♀️), but by using a special "Client ID".
Here's how it works:
First, you add a client and specify an arbitrary string as its "Identifier", for instance,
On the client device you can now configure:
Queries and stats are now properly attributed to your device.
🔐 AdGuard as a DNSCrypt-resolver #1361
DNSCrypt was the very first DNS encryption protocol that got some traction. It may not be as popular as DoH/DoT/DoQ now, but it is still viable. Moreover, performance-wise DNSCrypt is better than any of them. And now that v0.105.0 is out, AdGuard Home can be configured to work as a DNSCrypt resolver!
However, here goes the tricky part. We haven't yet exposed these settings to the Web admin panel so if you want to have DNSCrypt, you'll need to follow this instruction and do it via editing the configuration file (
AdGuardHome.yaml). Not that it would scare you off, would it? 🤓
Regarding DNSCrypt clients - AdGuard for Android, Windows and iOS support it, Mac will get its support pretty soon. Besides that, here is a long list of client software that supports it as well.
AdGuard Home now supports two more powerful rule modifiers that will help blocklists' maintainers.
$dnstypelets you narrow down the rule scope and apply it only to queries of a specific type(s). For instance, Apple devices now support
HTTPSDNS query type. While being generally a good thing, this new type may sometimes be harmful😲. By using
$dnstypeyou can block it completely using a simple rule like this:
$dnsrewriteis another powerful modifier that allows you to modify DNS responses. Note that this modifier is much more powerful compared to something like a hosts file.
Here are some examples:
example.organd all it's subdomains
|test.example.org^$dnsrewrite=NOERROR;TXT;hello_world- add a
You can find more examples in the documentation.
ipsetsubdomain matching, just like
The host checking API and the query logs API can now return multiple matched rules #2102
Detecting of network interface configured to have static IP address via
A 5 second wait period until a DHCP server's network interface gets an IP address #2304
HTTP API request body size limit #2305
Access-Control-Allow-Originis now only set to the same origin as the domain, but with an HTTP scheme as opposed to
workDirnow supports symlinks.
Stopped mounting together the directories
/opt/adguardhome/workin our Docker images #2589
dns.bogus_nxdomainoption is used, the server will now transform responses if there is at least one bogus address instead of all of them #2394. The new behavior is the same as in
Made the mobileconfig HTTP API more robust and predictable, add parameters and improve error response #2358
Improved HTTP requests handling and timeouts #2343
Our snap package now uses the
core20image as its base #2306
Go 1.14 support. v0.106.0 will require at least Go 1.15 to build.
darwin/386port. It will be removed in v0.106.0.
GET /querylogresponses. They will be removed in v0.106.0 #2102
Autoupdate bug in the Darwin (macOS) version #2630
Unnecessary conversions from
net.IP, and vice versa #2508
Inability to set DNS cache TTL limits #2459
Possible freezes on slower machines #2225
A mitigation against records being shown in the wrong order on the query log page #2293
A JSON parsing error in query log #2345
Incorrect detection of the IPv6 address of an interface as well as another infinite loop in the
/dhcp/find_active_dhcpHTTP API #2355
The undocumented ability to use hostnames as any of
bind_hostvalues in the configuration. Documentation requires them to be valid IP addresses, and now the implementation makes sure that that is the case #2508
Dockerfile#2276. Replaced with the script
Support for pre-v0.99.3 format of query logs #2102
AdGuard Home 0.104.3
Bugfixes... 😌 There's something about them that we just can't resist. We always want more! 🧟
When there's nothing more to fix, we just roll out a new major update, introduce some fresh bugs and start all over. It's a circle of life ☯️
Luckily, there are still some to prey upon in v0.104. Have a look at what we've fixed this time:
Don't expose the profiler HTTP API #2336
Load query logs from files after loading the ones buffered in memory #2325
Don't show Unnecessary errors in logs when switching between query log files #2324
404 Not Founderrors on the DHCP settings page on Windows. Show that DHCP is not currently available on that OS instead #2295
Fix an infinite loop in the
/dhcp/find_active_dhcpHTTP API method #2301
Various internal improvements
AdGuard Home 0.104.1
Those who pay close attention to AdGuard Home releases know that we keep hotfixes close to our hearts 🔥♥️ This time we held for as long as we could, but ultimately gave in to the urge 😔
Here's a patch to v0.104 with some fixes and minor improvements.
permission deniederror when launching a DHCP server on Linux using Snap #2228. Users experiencing this issue should refresh their snap and call:
snap connect adguard-home:network-control
This won't be required in the future versions.
Use matching fonts in the Custom Filters textarea #2254
Show the correct query type for DNS-over-QUIC queries in query log #2241
Increase the default number of simultaneous requests to improve performance #2257
Always set a secondary DNS in DHCP #1708
Improve stability on DNS proxy restart #2242
Improve logging on DNS proxy restart #2252
Don't show a “Loading” message and don't rerequest logs once we've reached the end of logs on the query log page #2229
Various internal improvements.
AdGuard Home 0.104.0
We have something special for y'all today. Not just an implementation of a new feature but the first ever implementation of a new feature! 😮 This is about DNS-over-QUIC, a new DNS encryption protocol — read on to learn more.
Ah, yes, there's also a bunch of other good stuff, too: DHCP-related changes, a .mobileconfig generator for iOS and macOS, and a handful of other enhancements and bugfixes.
DNS-over-QUIC support #2049
AdGuard Home now natively supports a new DNS encryption protocol called DNS-over-QUIC. DoQ standard is currently in the draft state, and AdGuard Home (and dnsproxy) is it's first open-source implementation.🥇
So what's good about it? 🤔 Unlike DoH and DoT, it uses QUIC as a transport protocol and finally brings DNS back to its roots — working over UDP. It brings all the good things that QUIC has to offer — out-of-the-box encryption, reduced connection times, better performance when data packets are lost. Also, QUIC is supposed to be a transport-level protocol and there are no risks of metadata leaks that could happen with DoH. 🔒
At this moment, the only major public DNS resolver that provides DNS-over-QUIC is AdGuard DNS. 😎 Use
quic://dns-unfiltered.adguard.comin the upstreams settings to start using AdGuard DNS "Non-Filtering".
DHCP rework: DHCP6 support, custom DHCP options
We did a huge rework of our DHCP server implementation. Thanks to it, AdGuard Home now supports DHCP6 and allows setting custom DHCP options.
Please note that in order to set DHCP options, you'll need to edit the configuration file.
Add support for DHCPv6: #779
DHCPv6 RA+SLAAC: #2076
DHCP: automatic hostnames: #1956
Add DHCP Options: #1585
iOS and MacOS .mobileconfig generator: #2110
iOS 14 and macOS Big Sur natively support DNS-over-HTTPS and DNS-over-TLS. However, it's not that simple to configure them — you need to install a special "configuration profile" for that. 🤯 In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
AdGuard Home binaries are now signed with our GPG key and you can now easily verify that they really come from us: https://github.com/AdguardTeam/AdGuardHome/wiki/Verify-Releases
Allow entering comments to the Upstreams box: #2083
Load upstreams list from a file: #1680
Add ARMv8 to future releases, potentially append a v8 binary to the most recent non-beta release: #2125
Redesign query logs block/unblock buttons: #2050
Treat entries starting with "/" as "://" under specific circumstances: #1950
Use "Null IP" instead of NXDOMAIN by default: #1914
Bootstrap with TCP upstreams: #1843
Add block and unblock buttons to 'check the filtering' result: #1734
ipset feature support: #1191
Add Belarusian and Chinese Traditional HK languages: #2106
Add new language: en-silk: #1796
Use DOH or DOT as bootstrap: #960
Reverse lookups return empty answers for hosts from /etc/hosts: #2085
Static lease hostnames are overridden by client-identifier: #2040
Query log doesn't display name for blocked services: #2038
Custom filter editor works with delay: #1657
Incorrect link address: #2209
Smartphone compatible design for user interface: #2152
Misleading information during service installation: #2128
Remove the limit on cache-min-ttl, 3600: #2094
Cannot change minimum TTL override in UI: #2091
Optical Issue on mobile phone: #2090
Setting a large DNS Cache Size in the Web GUI will exceed the unit32 range.: #2056
Clients requests aren't counted properly: #2037
Sorting various IP Address Columns in the UI (eg in dhcp static leases) does not sort correctly. They are treated as strings instead of numeric.: #1877
Requests count for clients with CIDR IP addresses: #1824