# AdGuard DNS changelog All notable environment, configuration file, and other changes to this project will be documented in this file. The format is **not** based on [Keep a Changelog][kec], since the project **doesn't** currently adhere to [Semantic Versioning][sem]. [kec]: https://keepachangelog.com/en/1.0.0/ [sem]: https://semver.org/spec/v2.0.0.html ## AGDNS-2507 / Build 926 - Profile's file cache version was incremented. The file cache structure has been optimized, so messages like the following are to be expected: ```none profiledb: warning: error loading fs cache err="decoding protobuf: proto: cannot parse invalid wire-format data" ``` ## AGDNS-2327 / Build 916 - Profile's file cache version was incremented. The new field `BlockChromePrefetch` has been added to profile's object. - The objects within the `filtering_groups` have a new property, `block_chrome_prefetch`. So replace this: ```yaml filtering_groups: - id: default # … block_firefox_canary: true block_private_relay: true ``` with this: ```yaml filtering_groups: - id: default # … block_chrome_prefetch: true block_firefox_canary: true block_private_relay: true ``` ## AGDNS-2514 / Build 908 - The environment variable `DNSCHECK_CACHE_KV_SIZE` has been added. - The property `kv.type` within the `check` object now supports the `cache` value. ## AGDNS-2484/ Build 886 - Property `type` of the `ratelimit` object has been moved to the underlying `allowlist` object. So replace this: ```yaml ratelimit: type: 'consul' # … allowlist: # … ``` with this: ```yaml ratelimit: # … allowlist: type: 'consul' # … ``` ## AGDNS-2443 / Build 877 - The object `filters` has new properties: `ede_enabled`, and `sde_enabled`. So replace this: ```yaml filters: # … ``` with this: ```yaml filters: # … ede_enabled: true sde_enabled: true ``` ## AGDNS-2456 / Build 873 - The environment variables `BACKEND_RATELIMIT_URL` and `BACKEND_RATELIMIT_API_KEY` have been added. - Added the `type` property within the `ratelimit` object. So add it: ```yaml ratelimit: type: 'consul' # … ``` ## AGDNS-2431 / Build 872 - The objects `ratelimit.ipv4` and `ratelimit.ipv6` have been modified. Its `rps` properties have been replaced with the new properties `count` and `interval`. So replace this: ```yaml ratelimit: # … ipv4: rps: 30 ipv6: rps: 300 ``` with this: ```yaml ratelimit: # … ipv4: # … count: 300 interval: 10s ipv6: # … count: 3000 interval: 10s ``` Adjust the value and add new ones, if necessary. ## AGDNS-2457 / Build 871 - The environment variables `DNSCHECK_REMOTEKV_URL` and `DNSCHECK_REMOTEKV_API_KEY` have been added. - The property `kv.type` within the `check` object now supports the `backend` value. ## AGDNS-2468 / Build 869 - The environment variable `PROFILES_MAX_RESP_SIZE` has been added. It sets the maximum size of the response from the profiles endpoint of the backend API. The default value is `8MB`. ## AGDNS-2427 / Build 854 - The environment variables `REDIS_ADDR`, `REDIS_KEY_PREFIX`, `REDIS_MAX_ACTIVE`, `REDIS_MAX_IDLE`, `REDIS_IDLE_TIMEOUT`, and `REDIS_PORT` have been added. - The property `ttl` within the `check` is replaced by the object `kv` containing the previous `ttl` and the new property `type`. So replace this: ```yaml check: # … ttl: 30s ``` with this: ```yaml check: kv: type: 'consul' ttl: 30s # … ``` ## AGDNS-2331 / Build 818 - Profile's file cache version was incremented. The new field `RateLimit` has been added to profile's object. ## AGDNS-2008 / Build 809 - The environment variables `WEB_STATIC_DIR` and `WEB_STATIC_DIR_ENABLED` have been added. If `WEB_STATIC_DIR_ENABLED` is set to `1`, `WEB_STATIC_DIR` must point to a directory, from which static files are served. The `web.static_content` property in the configuration file is also ignored when `WEB_STATIC_DIR_ENABLED` is set to `1`. ## AGDNS-2316 / Build 808 - The environment variables `BLOCKED_SERVICE_ENABLED`, `GENERAL_SAFE_SEARCH_ENABLED`, and `YOUTUBE_SAFE_SEARCH_ENABLED` have been added. If they are set to `0`, their corresponding `*_URL` environment variables can be empty. ## AGDNS-2312 / Build 807 - The environment variables `BILLSTAT_URL` and `PROFILES_URL` no longer required if there are no server groups with profiles enabled. ## AGDNS-2312 / Build 802 - The environment variables `ADULT_BLOCKING_ENABLED`, `NEW_REG_DOMAINS_ENABLED`, and `SAFE_BROWSING_ENABLED` have been added. If they are set to `0`, their corresponding `*_URL` environment variables can be empty. ## AGDNS-2302 / Build 801 - The environment variable `METRICS_NAMESPACE` has been added. ## AGDNS-2292 / Build 794 - The environment variable `PROFILES_ENABLED` has been removed. - The objects within the `server_groups` array have a new property `profiles_enabled`. So replace this: ```yaml server_groups: - name: 'default' # … - name: 'client' # … ``` with this: ```yaml server_groups: - name: 'default' # … profiles_enabled: false - name: 'client' # … profiles_enabled: true ``` ## AGDNS-2289 / Build 793 - The environment variable `FILTER_INDEX_URL` now accepts `file://` URIs to use local files as filtering-rule list indexes. - All other `*_URL` environment variables are now validated to be HTTP(s) or gRPC(S) more strictly. ## AGDNS-2254 / Build 779 - The environment variables `BILLSTAT_API_KEY` and `PROFILES_API_KEY` have been added. ## AGDNS-2172 / Build 776 - The version of the profile cache file has been incremented. ## AGDNS-2048 / Build 750 - The environment variables `RESEARCH_LOGS` and `RESEARCH_METRICS` have been removed. ## AGDNS-2022 / Build 746 - The property `block_page_redirect` of objects within the `server_groups` array has been removed. ## AGDNS-1981 / Build 744 - The objects within the `server_groups` array had a change in their `block_page_redirect` configuration, it now supports arrays of IP addresses in `ipv4` and `ipv6` fields. - Profile's file cache version was incremented. In case of `BlockingModeCustomIP` the `profile.blocking_mode` IPv4/IPv6 fields are now arrays of IP addresses. ## AGDNS-2012 / Build 732 - The querylog now has a new field, `"rn"`, which is a 16-bit unsigned random number. Field `"u"`, the unique request ID, is deprecated and may be removed in the future. ## AGDNS-1879 / Build 729 - Profile's file cache version was incremented. The new field `authentication` has been added to profile's device object. ## AGDNS-1934 / Build 728 - The object `filters` has new properties: `index_refresh_timeout`, and `rule_list_refresh_timeout`. So replace this: ```yaml filters: # … ``` with this: ```yaml filters: # … index_refresh_timeout: 1m rule_list_refresh_timeout: 1m ``` - The objects `safe_browsing` and `adult_blocking` have a new property: `refresh_timeout`. So replace this: ```yaml safe_browsing: # … # … adult_blocking: # … ``` with this: ```yaml safe_browsing: # … refresh_timeout: 1m # … adult_blocking: # … refresh_timeout: 1m ``` ## AGDNS-1954 / Build 726 - The object `web` has a new optional property, `general_blocking`. Its format is the same as in `adult_blocking` and `safe_browsing`. ## AGDNS-1954 / Build 719 - The objects within the `server_groups` array have a new property `block_page_redirect`: ```yaml block_page_redirect: enabled: true ipv4: - address: '127.0.0.1' - address: '127.0.0.2' ipv6: - address: '::1' - address: '::2' apply: client: - address: '192.168.0.0/16' - address: '1.2.3.4' skip: client: - address: '1.2.0.0/16' question: - domain: 'do-not-show-block.site.example' probability: 0.01 ``` > [!NOTE] > For `ipv4` and `ipv6` only one address is currently supported. For server groups that do not require a block-page redirect, set: ```yaml block_page_redirect: enabled: false ``` ## AGDNS-1888 / Build 717 - The new environment variable `PROFILES_ENABLED` has been added. With `0` value it disables user profiles and devices recognition, and billing. Its default value is `1`. Adjust the value, if necessary. ## AGDNS-1761 / Build 702 - The property `upstream` has been modified. Its property `timeout` has been replaced with the new property `servers.timeout` for each server in the `servers` list. Concomitantly the `fallback.timeout` has been replaced with `fallback.servers.timeout` for each fallback server. The `fallback.servers` now supports not only the addresses of the servers, but URLs in the `[scheme://]ip:port` format like it's done with the main servers. So replace this: ```yaml upstream: # … servers: - 'tcp://1.1.1.1:53' - '127.0.0.1:5358' timeout: 2s fallback: servers: - 8.8.4.4:53 timeout: 1s ``` with this: ```yaml upstream: # … servers: - address: 'tcp://1.1.1.1:53' timeout: 2s - address: '127.0.0.1:5358' timeout: 2s fallback: servers: - address: '8.8.4.4:53' timeout: 1s ``` Adjust the value and add new ones, if necessary. ## AGDNS-698 / Build 701 - The object `dns` has new properties: `read_timeout`, `tcp_idle_timeout`, and `write_timeout`. So replace this: ```yaml dns: max_udp_response_size: 1024B ``` with this: ```yaml dns: read_timeout: 2s tcp_idle_timeout: 30s write_timeout: 2s handle_timeout: 1s max_udp_response_size: 1024B ``` The values in the example are previous defaults. ## AGDNS-1751 / Build 691 - The property `upstream.server` has been removed. Its former content is moved to the newly added property `servers`, which now extended to contain a list of URLs of main upstream servers. So replace this: ```yaml upstream: # … server: `8.8.8.8:53` ``` with this: ```yaml upstream: # … servers: - `8.8.8.8:53` ``` Adjust the value and add new ones, if necessary. ## AGDNS-1759 / Build 684 - The object `backend` has a new property, `full_refresh_retry_interval`. So replace this: ```yaml backend: # … full_refresh_interval: 24h ``` with this: ```yaml backend: # … full_refresh_interval: 24h full_refresh_retry_interval: 1h ``` Adjust the value, if necessary. ## AGDNS-1744 / Build 681 - Metric `forward_request_total` has a new label `network`. This label describes the network type (`tcp` or `udp`), over which an upstream has finished processing request. ## AGDNS-1738 / Build 678 - Object `dns` has a new property, describing maximum size of DNS response over UDP protocol. ```yaml dns: max_udp_response_size: 1024B handle_timeout: 1s ``` ## AGDNS-1735 / Build 677 - The property `upstream.fallback` has been changed. Its former content is moved to the newly added property `servers`. The new property `timeout`, which describes query timeout to fallback servers, was added. So replace this: ```yaml upstream: fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` with this: ```yaml upstream: fallback: servers: - 1.1.1.1:53 - 8.8.8.8:53 timeout: 1s ``` Adjust the new values, if necessary. Note that the query timeout to fallback servers was previously defined with `upstream.timeout` property, which now describes the query timeout to the primary servers only. ## AGDNS-1178 / Build 676 - The new object `dns` has been added: ```yaml dns: handle_timeout: 1s ``` ## AGDNS-1620 / Build 673 - Object `ratelimit` has two new properties: `quic` and `tcp`. They configure QUIC and TCP connection limits. Example configuration: ```yaml ratelimit: # … quic: enabled: true max_streams_per_peer: 100 tcp: enabled: true max_pipeline_count: 100 ``` ## AGDNS-1684 / Build 661 - Profile's file cache version was incremented. The new field `access` has been added. ## AGDNS-1664 / Build 636 - The environment variables `BILLSTAT_URL` and `PROFILES_URL` no longer support HTTP(s) endpoints. Use GRPC(S) instead. ## AGDNS-1667 / Build 633 - `ratelimit` configuration properties `back_off_count`, `back_off_duration` and `back_off_period` have been renamed to `backoff_count`, `backoff_duration` and `backoff_period`. So replace this: ```yaml ratelimit: back_off_period: 10m back_off_count: 1000 back_off_duration: 30m ``` with this: ```yaml ratelimit: backoff_period: 10m backoff_count: 1000 backoff_duration: 30m ``` ## AGDNS-1607 / Build 617 - New configuration `access` has been added, it has an a list of AdBlock rules to block requests, and a lists of client subnets to block access from. Example configuration: ```yaml access: blocked_question_domains: - 'test.org' - '||example.org^$dnstype=AAAA' blocked_client_subnets: - '1.1.1.1' - '2.2.2.0/8' ``` ## AGDNS-1619 / Build 611 - Added a new metric `bill_stat_upload_duration` that counts the duration of billing statistics upload. - The environment variable `BILLSTAT_URL`, which describes the endpoint for backend billing statistics uploader API, now supports GRPC endpoints. ## AGDNS-1600 / Build 582 - The environment variable `PROFILES_CACHE_PATH` no longer supports JSON files. Use protobuf with `.pb` extension instead. The default value has been changed to `./profilecache.pb`. ## AGDNS-1539 / Build 581 - The environment variable `PROFILES_URL`, which describes the endpoint for profiles sync API, now supports GRPC endpoints. ## AGDNS-1579 / Build 580 - The optional property `bind_interfaces` of `server_groups.*.servers` objects has been changed, property `subnet` is now an array and has been renamed to `subnets`. So replace this: ```yaml bind_interfaces: - id: 'dns' subnet: '10.0.0.1/32' - id: 'dns' subnet: '10.0.0.2/32' - id: 'dns' subnet: '10.0.0.3/32' - id: 'dns_secondary' subnet: '10.0.0.1/32' ``` with this: ```yaml bind_interfaces: - id: 'dns' subnets: - '10.0.0.1/32' - '10.0.0.2/32' - '10.0.0.3/32' - id: 'dns_secondary' subnets: - '10.0.0.1/32' ``` ## AGDNS-1537 / Build 566 - The configuration property `filtering_groups.safe_browsing` has been changed, new properties have been added: `block_dangerous_domains` and `block_newly_registered_domains`. ## AGDNS-1580 / Build 562 - The environment variable `DNSDB_PATH` has been removed. - New configuration `dnsdb` has been added, it has an enabled/disabled flag and the property `max_size` which describes the maximum amount of records in the in-memory buffer. Example configuration: ```yaml dnsdb: enabled: true max_size: 500000 ``` ## AGDNS-1537 / Build 559 - Configuration properties `safe_browsing.url` and `adult_blocking.url` are now removed. Use newly added environment variables `ADULT_BLOCKING_URL` and `SAFE_BROWSING_URL`. - New environment variable `NEW_REG_DOMAINS_URL` has been added, this is the link to the source list of the newly registered domains. ## AGDNS-1567 / Build 557 - The environment variable `BACKEND_ENDPOINT` was replaced with three environment variables: - `LINKED_IP_TARGET_URL`: the target URL to which linked IP API requests are proxied. - `PROFILES_URL`: the endpoint for profiles sync API. - `BILLSTAT_URL`: the endpoint for backend billing statistics uploader. ## AGDNS-1561 / Build 554 - The `filters` object has a new property, `max_size`, which describes the maximum size of the downloadable content for a rule-list in a human-readable format. Example configuration: ```yaml filters: # … max_size: 256MB ``` ## AGDNS-1561 / Build 550 - Properties `so_sndbuf` and `so_rcvbuf` of object `network` have been changed. Now they are in a human-readable format. Example configuration: ```yaml network: so_sndbuf: 2MB so_rcvbuf: 0 ``` - The object `filters` has been changed. Two properties, `rule_list_cache_size` and `use_rule_list_cache` have been extracted to the new object `rule_list_cache` and renamed to `size` and `enabled`. So replace this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 rule_list_cache_size: 10000 refresh_interval: 1h refresh_timeout: 5m use_rule_list_cache: true ``` with this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m rule_list_cache: enabled: true size: 10000 ``` Adjust the values, if necessary. ## AGDNS-1566 / Build 549 - There is now a new env variable `RESEARCH_LOGS` that controls whether logging of additional info for research purposes is enabled. These log records can be filtered out by `research:` prefix. The default value is `0`, i.e. additional logging is disabled. The first thing that is logged in this version is domains which responses have ECH config. The log will only be recorded when both `RESEARCH_LOGS` and `RESEARCH_METRICS` are set to `1`. - Added a new research metric `dns_research_response_ech` that counts the number of responses with a ECH configuration. ## AGDNS-1556 / Build 547 - The object `cache` has a new property `ttl_override`. It describes the TTL override settings, such as the minimum TTL for cache items and the `enabled` switch. It overwrites the TTL from DNS response in case it's less than this minimum value. So replace this: ```yaml cache: type: "simple" size: 10000 ecs_size: 10000 ``` with this: ```yaml cache: type: "simple" size: 10000 ecs_size: 10000 ttl_override: enabled: true # The minimum duration of TTL for a cache item. min: 60s ``` Adjust the values, if necessary. ## AGDNS-1498 / Build 527 - Object `ratelimit` has a new property, `connection_limit`, which allows setting stream-connection limits. Example configuration: ```yaml ratelimit: # … connection_limit: enabled: true stop: 1000 resume: 800 ``` ## AGDNS-1383 / Build 525 - The environment variable `PROFILES_CACHE_PATH` is now sensitive to the file extension. Use `.json` for the previous behavior of encoding the cache into a JSON file or `.pb` for encoding it into protobuf. Other extensions are invalid. ## AGDNS-1381 / Build 518 - The new object `network` has been added: ```yaml network: so_sndbuf: 0 so_rcvbuf: 0 ``` ## AGDNS-1383 / Build 515 - The environment variable `PROFILES_CACHE_PATH` now has a new special value, `none`, which disables profile caching entirely. The default value of `./profilecache.json` has not been changed. ## AGDNS-1479 / Build 513 - The profile-cache version has been changed to `6`. Versions of the profile cache from `3` to `5` are invalid and should not be reused. ## AGDNS-1473 / Build 506 - The profile-cache version has been changed to `5`. ## AGDNS-1247 / Build 484 - The new object `interface_listeners` has been added: ```yaml interface_listeners: channel_buffer_size: 1000 list: eth0_plain_dns: interface: 'eth0' port': 53 eth0_plain_dns_secondary: interface: 'eth0' port': 5353 ``` - The objects within the `server_groups.*.servers` array have a new optional property, `bind_interfaces`: ```yaml server_groups: - # … servers: - name: 'default_dns' # … bind_interfaces: - id: 'eth0_plain_dns' subnet: '127.0.0.0/8' - id: 'eth0_plain_dns_secondary' subnet: '127.0.0.0/8' ``` It is mutually exclusive with the current `bind_addresses` field. ## AGDNS-1406 / Build 480 - The default behavior of the environment variable `DNSDB_PATH` has been changed. Previously, if the variable was unset then the default value, `./dnsdb.bolt`, was used, but if it was an empty string, DNSDB was disabled. Now both unset and empty value disable DNSDB, which is consistent with the documentation. This means that DNSDB is disabled by default. - The default configuration file path has been changed from `./config.yml` to `./config.yaml` for consistency with other services. ## AGDNS-916 / Build 456 - `ratelimit` now defines rate of requests per second for IPv4 and IPv6 addresses separately. So replace this: ```yaml ratelimit: rps: 30 ipv4_subnet_key_len: 24 ipv6_subnet_key_len: 48 ``` with this: ```yaml ratelimit: ipv4: rps: 30 subnet_key_len: 24 ipv6: rps: 300 subnet_key_len: 48 ``` ## AGDNS-907 / Build 449 - The objects within the `filtering_groups` have a new property, `block_firefox_canary`. So replace this: ```yaml filtering_groups: - id: default # … ``` with this: ```yaml filtering_groups: - id: default # … block_firefox_canary: true ``` The recommended default value is `true`. ## AGDNS-1308 / Build 447 - There is now a new env variable `RESEARCH_METRICS` that controls whether collecting research metrics is enabled or not. Also, the first research metric is added: `dns_research_blocked_per_country_total`, it counts the number of blocked requests per country. Its default value is `0`, i.e. research metrics collection is disabled by default. ## AGDNS-1051 / Build 443 - There are two changes in the keys of the `static_content` map. Firstly, properties `allow_origin` and `content_type` are removed. Secondly, a new property, called `headers`, is added. So replace this: ```yaml static_content: '/favicon.ico': # … allow_origin: '*' content_type: 'image/x-icon' ``` with this: ```yaml static_content: '/favicon.ico': # … headers: 'Access-Control-Allow-Origin': - '*' 'Content-Type': - 'image/x-icon' ``` Adjust or add the values, if necessary. ## AGDNS-1278 / Build 423 - The object `filters` has two new properties, `rule_list_cache_size` and `use_rule_list_cache`. So replace this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m ``` with this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 rule_list_cache_size: 10000 refresh_interval: 1h refresh_timeout: 5m use_rule_list_cache: true ``` Adjust the values, if necessary. ## AGDNS-1278 / Build 422 - The object `filters` has a new property, `safe_search_cache_size`. So replace this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m ``` with this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 safe_search_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m ``` Adjust the values, if necessary. ## AGDNS-1174 / Build 397 - DNS Server Check now responds with NODATA message to all non-A neither non-AAAA requests. ## AGDNS-911 / Build 375 - Added support for running a DoH3 server. No configuration changes are required to run it. If there was a DoH server configured, it will start listening for HTTP/3 connections on the same port where it listens for HTTP/2. Make sure that udp/443 is allowed in the iptables configuration on the server. ## AGDNS-842 / Build 372 - The new environment variable `PROFILES_CACHE_PATH` has been added. Its default value is `./profilecache.json`. Adjust the value, if necessary. ## AGDNS-891 / Build 371 - The property `server` of `upstream` object has been changed. Now it is a URL optionally starting with `tcp://` or `udp://`, and then an address in `ip:port` format. ```yaml upstream: server: 'tcp://8.8.8.8:53' ``` Adjust the value, if necessary. ## AGDNS-1032 / Build 363 - The new optional field `static_content.*.allow_origin` has been added: ```yaml static_content: '/favicon.ico': allow_origin: '*' ``` ## AGDNS-898 / Build 359 - The new optional object `additional_metrics_info` has been added: ```yaml additional_metrics_info: test_key: 'test_value' ``` ## AGDNS-986 / Build 346 - The new object `upstream.healthcheck` now contains all healthcheck-related fields, including the new field `domain_template`. Property `upstream.healthcheck_backoff_time` has been moved to `upstream.healthcheck.backoff_duration`. So replace this: ```yaml upstream: server: 127.0.0.1:53 timeout: 2s healthcheck_enabled: true healthcheck_interval: 2s healthcheck_timeout: 1s healthcheck_backoff_time: 30s fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` with this: ```yaml upstream: server: 127.0.0.1:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53 healthcheck: enabled: true interval: 2s timeout: 1s backoff_duration: 30s domain_template: '${RANDOM}.neverssl.com' ``` Adjust the new value, if necessary. ## AGDNS-960 / Build 342 - The property `domain` of `check` object has been changed to `domains`. So replace this: ```yaml check: domain: "example.com" ``` with this: ```yaml check: domains: - 'example.com' - 'example.org' ``` Adjust the news values, if necessary. ## AGDNS-838 / Build 338 - The object `upstream` has new properties, `healthcheck_enabled`, `healthcheck_interval`, `healthcheck_timeout`, and `healthcheck_backoff_time`. So replace this: ```yaml upstream: server: 127.0.0.9:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` with this: ```yaml upstream: server: 127.0.0.9:53 timeout: 2s healthcheck_enabled: true healthcheck_interval: 2s healthcheck_timeout: 1s healthcheck_backoff_time: 30s fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` Adjust the new values, if necessary. ## Build 336 - The environment variable `SSLKEYLOGFILE` has been renamed to `SSL_KEY_LOG_FILE`. ## AGDNS-915 / Build 334 - The properties `subnet_key_ip_4_mask_len` and `subnet_key_ip_6_mask_len` of object `ratelimit` have been renamed to `ipv4_subnet_key_len` and `ipv6_subnet_key_len` correspondingly. So replace this: ```yaml ratelimit: # … subnet_key_ip_4_mask_len: 24 subnet_key_ip_6_mask_len: 48 ``` with this: ```yaml ratelimit: # … ipv4_subnet_key_len: 24 ipv6_subnet_key_len: 48 ``` ## AGDNS-915 / Build 333 - The `ratelimit` object has two new properties, `subnet_key_ip_4_mask_len` and `subnet_key_ip_6_mask_len`. So replace this: ```yaml ratelimit: # … ``` with this: ```yaml ratelimit: # … subnet_key_ip_4_mask_len: 24 subnet_key_ip_6_mask_len: 48 ``` ## AGDNS-897 / Build 329 - The objects within the `filtering_groups` have a new property, `block_private_relay`. ```yaml filtering_groups: - id: default # … ``` with this: ```yaml filtering_groups: - id: default # … block_private_relay: false ``` The recommended default value is `false`. ## AGDNS-624 / Build 320 - The objects within `server_groups` array had a change in their DDR configuration. There was an opinion that the previous configuration was too limiting and that denormalized configuration is more self-describing. So replace this: ```yaml server_groups: - # … ddr_names: - 'dns.example.com' # … ``` with this: ```yaml server_groups: - # … ddr: enabled: true device_records: '*.d.dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - 127.0.0.1 ipv6_hints: - '::1' public_records: 'dns.example.com': doh_path: '/dns-query{?dns}' https_port: 443 quic_port: 853 tls_port: 853 ipv4_hints: - 127.0.0.1 ipv6_hints: - '::1' # … ``` Adjust the values, if necessary. Make sure to synchronize and keep in sync the addresses and ports with the values of the server groups' servers. ## AGDNS-624 / Build 317 - The objects within `server_groups` array have a new property `ddr_names`: ```yaml server_groups: - # … ddr_names: - 'dns.example.com' # … ``` It is empty by default. These values will be used for constructing a response for Discovery of Designated Resolvers. Empty value leads to a NODATA response. Adjust the new value, if necessary. ## AGDNS-624 / Build 314 - The property `tls` of objects within the `server_groups.*.servers.*` array has been moved to the `server_group` object becoming common for the whole group. Any group having at least a single server of DoH/DoT/DoQ protocols will require the `tls` property specified. Any group having no encrypted resolvers will require the `tls` property absence. So replace this: ```yaml server_groups: - # … servers: - name: default_dot protocol: tls tls: # … # … ``` with this: ```yaml server_groups: - tls: # … # … servers: - name: default_dot protocol: tls # … ``` Adjust the new value, if necessary. ## AGDNS-829 / Build 308 - The object `upstream` has a new property, `timeout`. So replace this: ```yaml upstream: server: 127.0.0.9:53 fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` with this: ```yaml upstream: server: 127.0.0.9:53 timeout: 2s fallback: - 1.1.1.1:53 - 8.8.8.8:53 ``` Adjust the new value, if necessary. ## AGDNS-286 / Build 307 - The new object `connectivity_check` has been added: ```yaml connectivity_check: probe_ipv4: '8.8.8.8:53' probe_ipv6: '[2001:4860:4860::8888]:53' ``` ## AGDNS-745 / Build 298 - The object `filters` has a new property, `refresh_timeout`. So replace this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h ``` with this: ```yaml filters: response_ttl: 5m custom_filter_cache_size: 1024 refresh_interval: 1h refresh_timeout: 5m ``` Adjust the values, if necessary. ## AGDNS-608 / Build 273 - The object `cache` has two new properties, `type` and `ecs_size`. So replace this: ```yaml cache: size: 10000 ``` with this: ```yaml cache: type: "simple" size: 10000 ecs_size: 10000 ``` Adjust the values, if necessary. ## AGDNS-327 / Build 259 - Prometheus metric `dns_tls_handshake_total` has been updated with `server_name` label. This label represents "Server Name Indication" identifiers, grouped by endpoint identifier and known server names. All unknown server names are grouped in `other` label: ```none # TYPE dns_tls_handshake_total counter dns_tls_handshake_total{cipher_suite="TLS_AES_128_GCM_SHA256",did_resume="0",negotiated_proto="",proto="tls",server_name="default_dot: other",tls_version="tls1.3"} 4 ``` ## AGDNS-607 / Build 258 - The special "disallow-all" response is served on `/robots.txt` requests to `web` module. ## AGDNS-506 / Build 242 - The property `cache_size` of object `geoip` has been renamed to `ip_cache_size`. Also, a new property named `host_cache_size` has been added. So replace this: ```yaml geoip: cache_size: 100000 refresh_interval: 1h ``` with this: ```yaml geoip: host_cache_size: 100000 ip_cache_size: 100000 refresh_interval: 1h ``` Adjust the new value, if necessary. ## AGDNS-505 / Build 238 - The object `backend` has a new property, `bill_stat_interval`. So replace this: ```yaml backend: timeout: 10s refresh_interval: 15s full_refresh_interval: 24h ``` with this: ```yaml backend: timeout: 10s refresh_interval: 15s full_refresh_interval: 24h bill_stat_interval: 15s ``` Adjust the value, if necessary. ## AGDNS-187 / Build 228 - The new required environment variables `GENERAL_SAFE_SEARCH_URL` and `YOUTUBE_SAFE_SEARCH_URL` has been added. Those are expected to lead to plain text filters, for example: ```sh GENERAL_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/engines_safe_search.txt' YOUTUBE_SAFE_SEARCH_URL='https://adguardteam.github.io/HostlistsRegistry/assets/youtube_safe_search.txt' ``` ## AGDNS-344 / Build 226 - The environment variables `CONSUL_DNSCHECK_KV_URL` and `CONSUL_DNSCHECK_SESSION_URL` are now unset by default. Which means that by default HTTP key-value database isn't used. ## AGDNS-431 / Build 211 - The object `web` has a new optional property, `linked_ip`: ```yaml web: linked_ip: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key ``` ## AGDNS-425 / Build 209 - The objects within the `server_groups.*.servers` array have a new optional property, `linked_ip_enabled`. It is `false` by default. Set to `true` to enable linked IP address detection on that server: ```yaml server_groups: - # … servers: - name: default_dns protocol: dns linked_ip_enabled: true # … ``` ## AGDNS-405 / Build 195 - Used our fork of miekg/dns library to fix the EDNS0 TCP keep-alive issue. ## AGDNS-341 / Build 183 - Removed the static DNS check `/info.txt`. Now that `web` module is available, it is no more needed since it can be configured via the `web` module. ## AGDNS-341 / Build 179 - The object `doh` has been removed. - The new optional object `web` has been added: ```yaml web: safe_browsing: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key block_page: /path/to/block_page.html adult_blocking: bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key block_page: /path/to/block_page.html non_doh_bind: - address: 127.0.0.1:80 - address: 127.0.0.1:443 certificates: - certificate: ./test/cert.crt key: ./test/cert.key static_content: '/favicon.ico': content_type: image/x-icon content: base64content root_redirect_url: "https://adguard-dns.com" error_404: /path/to/error_404.html error_500: /path/to/error_500.html timeout: 1m ``` ## AGDNS-367 / Build 164 - The object `geoip` has a new property, `cache_size`. ## AGDNS-310 / Build 153 - The environment variable `LOG_OUTPUT` has been removed. Logs are now always written to stdout. ## AGDNS-339 / Build 136 - The environment variable `DNSDB_PATH` is now unset by default. Which means that by default DNSDB is disabled. ## AGDNS-350 / Build 135 - The new optional environment variable `SSLKEYLOGFILE` has been added. ## AGDNS-345 / Build 133 - The object `check` has a new property, `node_location`. ## AGDNS-322 / Build 116 - The property `device_id_wildcard_domains` in the objects within the `server_groups.*.servers` array has been renamed to the shorter `device_id_wildcards`. - The DNS names from certificates are not used to detect device IDs and perform additional validations anymore. ## AGDNS-305 / Build 114 - The new required environment variable `BLOCKED_SERVICE_INDEX_URL` has been added. It has no default value, so it's necessary to set it. ## AGDNS-319 / Build 113 - The objects within the `server_groups.*.servers` array have a new property, `tls.device_id_wildcard_domains`. It is an array of domain name wildcards used to detect device IDs. If necessary, add them: ```yaml server_groups: - # … servers: - name: default_dot # … tls: # … device_id_wildcard_domains: - *.dns.adguard.com ``` ## AGDNS-292 / Build 111 - The environment variable `CONSUL_URL` has been renamed to `CONSUL_ALLOWLIST_URL`. - The new required environment variables `CONSUL_DNSCHECK_KV_URL` and `CONSUL_DNSCHECK_SESSION_URL` are added. They have no default value, so it's necessary to set them. - The object `check` has a new property, `ttl`. Set it to a human-readable duration, for example `1m`. ## AGDNS-296 / Build 110 - The property `parental.safe_search` of objects within the `filtering_groups` array is renamed to `parental.general_safe_search` to synchronize it with the backend. ## Build 109 - The object `log` has been removed. Its properties have been moved to the environment. - The new environment variable `LOG_OUTPUT` has been added. It is the path to the plain text log file. If `stdout`, writes to standard output. If `stderr`, writes to standard error. The default value is `stdout`, adjust the value, if necessary. - The new environment variable `LOG_TIMESTAMP` has been added. When it is set to `1`, timestamps are shown in the plain text logs. When set to `0`, they are not shown. The default value is `1`, adjust the value, if necessary. - The environment variable `VERBOSE` doesn't support a set but empty value. Unset the value or replace it with a `0`. ## AGDNS-295 / Build 105 - Another change in the objects within the `filtering_groups`. Before: ```yaml filtering_groups: - id: default filters: - adguard_dns_filter parental: true block_adult: true safe_browsing: true safe_search: true youtube_safe_search: true ``` After: ```yaml filtering_groups: - id: default parental: enabled: true block_adult: true safe_search: true youtube_safe_search: true rule_lists: enabled: true ids: - adguard_dns_filter safe_browsing: enabled: true ``` ## AGDNS-290 / Build 97 - The object `check` has a new property, `node_name`. ## AGDNS-287 / Build 96 - The objects within the `server_groups.*.servers` array have a new optional property in their `dnscrypt` objects, `inline`. Also, the property `config` is renamed to `config_path`. So replace this: ```yaml server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: config: './test/dnscrypt.yml' # … ``` with this: ```yaml server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: inline: provider_name: 2.dnscrypt-cert.example.org public_key: F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0 private_key: 5752095FFA56D963569951AFE70FE1690F378D13D8AD6F8054DFAA100907F8B6F11DDBCC4817E543845FDDD4CB881849B64226F3DE397625669D87B919BC4FB0 resolver_secret: 9E46E79FEB3AB3D45F4EB3EA957DEAF5D9639A0179F1850AFABA7E58F87C74C4 resolver_public: 9327C5E64783E19C339BD6B680A56DB85521CC6E4E0CA5DF5274E2D3CE026C6B es_version: 1 certificate_ttl: 8760h # … ``` or this: ```yaml server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dnscrypt # … dnscrypt: config_path: './test/dnscrypt.yml' # … ``` Adjust the values, if necessary. ## AGDNS-290 / Build 95 - The property `server_name` of object `check` is removed. ## AGDNS-272 / Build 94 - The new optional object `doh` has been added, which supplements the DNS-over-HTTP server configuration. Example: ```yaml doh: root_redirect_url: "https://adguard-dns.com/" ``` ## AGDNS-140 / Build 90 - The objects within the `server_groups.*.servers` array have a new property, `tls.session_keys`. So, if necessary, replace this: ```yaml server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dot # … tls: certificates: - certificate: ./test/cert.crt key: ./test/cert.key # … ``` with this: ```yaml server_groups: - name: adguard_dns_default filtering_group: default servers: - name: default_dot # … tls: certificates: - certificate: ./test/cert.crt key: ./test/cert.key session_keys: - ./private/key_1 # … ``` ## AGDNS-233 / Build 88 - The object `backend` has a new property, `full_refresh_interval`. So replace this: ```yaml backend: timeout: 10s refresh_interval: 1m ``` with this: ```yaml backend: timeout: 10s refresh_interval: 1m full_refresh_interval: 24h ``` Adjust the value, if necessary. ## AGDNS-247 / Build 86 - The new object `check` has been added, which configures the DNS checks mechanism. Example: ```yaml check: domain: "dnscheck.adguard.com" ipv4: - 1.2.3.4 - 5.6.7.8 ipv6: - 1234::cdee - 1234::cdef server_name: "AdGuard DNS Default" ``` ## AGDNS-246 / Build 83 - The new environment variable `RULESTAT_URL` has been added. Its default value is an empty string, which means that no statistics are gathered. Adjust the value, if necessary. ## AGDNS-245 / Build 74 - The new environment variable `DNSDB_PATH` has been added. Its default value is `./dnsdb.bolt`. Adjust the value, if necessary. ## AGDNS-139 / Build 73 - The new required environment variable `CONSUL_URL` has been added. It has no default value, so it's necessary to set it. - The ratelimit configuration for a server has changed from this: ```yaml ratelimit: refuseany: true response_size_limit: 1KB rate_limit_cache_ttl: 10m back_off_cache_ttl: 30m rps: 30 backoff_limit: 1000 ``` to this: ```yaml ratelimit: allowlist: list: - '127.0.0.1' - '127.0.0.1/24' refresh_interval: 30s back_off_count: 1000 back_off_duration: 30m back_off_period: 10m refuseany: true response_size_estimate: 1KB rps: 30 ``` See README.md for documentation. ## AGDNS-154 / Build 71 - The property `backend` of the `query_log` object is removed. ## AGDNS-230 / Build 67 - The new required environment variable `FILTER_INDEX_URL` has been added. It has no default value, so it's necessary to set it. - The environment variable `BACKEND_ENDPOINT` is now required and has no default value. - Property `lists` of the `filters` object is removed. - A new property `refresh_interval` has been added to the `filters` object. ## AGDNS-229 / Build 62 - The new environment variable `FILTER_CACHE_PATH` has been added. Its default value is `./filters/`. Adjust the value, if necessary. - The `list` property of `safe_browsing` and `adult_blocking` objects as well as the `path` property of the `filters.lists` objects are removed. - Property `url` of the `filters.lists` objects is now required. ## AGDNS-188 / Build 61 - The type of the `cache.size` property was changed from bytes to integer. So replace this: ```yaml cache: size: 50KB ``` with this: ```yaml cache: size: 10000 ``` Set the new values accordingly. ## AGDNS-149, AGDNS-150, AGDNS-189 / Build 52 - The top-level object `parental` was renamed to `adult_blocking`. - The objects `safe_browsing` and `adult_blocking` have four new properties, `cache_size`, `cache_ttl`, `refresh_interval`, and `url`. So replace this: ```yaml safe_browsing: block_host: standard-block.dns.adguard.com list: ./test/safe_browsing.txt adult_blocking: block_host: family-block.dns.adguard.com list: ./test/parental.txt ``` with this: ```yaml safe_browsing: url: https://static.example.com/safe_browsing.txt block_host: standard-block.dns.adguard.com cache_size: 1024 cache_ttl: 1h list: ./test/safe_browsing.txt refresh_interval: 1h adult_blocking: url: https://static.example.com/adult_blocking.txt block_host: family-block.dns.adguard.com cache_size: 1024 cache_ttl: 1h list: ./test/parental.txt refresh_interval: 1h ``` Set the new values accordingly. - The objects within the `filtering_groups` array have a new property, `block_adult`. So replace this: ```yaml filtering_groups: - id: default filters: - adguard_dns_filter parental: false safe_browsing: true safe_search: false youtube_safe_search: false # … ``` with this: ```yaml filtering_groups: - id: default filters: - adguard_dns_filter parental: false block_adult: false safe_browsing: true safe_search: false youtube_safe_search: false # … ``` Set the new value accordingly. - The objects within the `filters.lists` array have a new property, `refresh_interval`. The property is only required when the property `url` is also set. So replace this: ```yaml filters: # … lists: - id: adguard_dns_filter url: 'https://example.com/adguard_dns_filter.txt' path: ./test/filters/adguard_dns_filter.txt - id: peter_lowe_list path: ./test/filters/peter_lowe_list.txt ``` with this: ```yaml filters: # … lists: - id: adguard_dns_filter url: 'https://example.com/adguard_dns_filter.txt' path: ./test/filters/adguard_dns_filter.txt refresh_interval: 1h - id: peter_lowe_list path: ./test/filters/peter_lowe_list.txt ``` Set the new value accordingly. ## Build 45 - The property `youtube_restricted` was renamed to `youtube_safe_search`. So replace this: ```yaml filtering_groups: - id: default # … youtube_restricted: false - id: strict # … youtube_restricted: true ``` with this: ```yaml filtering_groups: - id: default # … youtube_safe_search: false - id: strict # … youtube_safe_search: true ``` ## AGDNS-152 / Build 43 - The blocked response TTL parameter has been moved and renamed. From this: ```yaml dns: blocked_response_ttl: 10s ``` to this: ```yaml filters: response_ttl: 10s ``` The `dns` object has been completely removed. ## AGDNS-177 / Build 40 - The TLS configuration for a server has changed from this: ```yaml tls: certificates: - certificate: /test/cert.crt key: /test/cert.key domains: - dns.adguard.com ``` to this: ```yaml tls: certificates: - certificate: /test/cert.crt key: /test/cert.key ``` The domains to be used in device ID detection are now expected to be contained in the certificate's DNS Names section of SAN. ## AGDNS-167 / Build 39 - The filtering configuration has changed from this: ```yaml filters: - id: adguard_dns_filter path: ./tmp.dir/filter.txt ``` to this: ```yaml filters: custom_filter_cache_size: 1024 lists: - id: adguard_dns_filter path: ./tmp.dir/filter.txt ```