- Updated to version 2.1.8
* Dependencies have been updated, notably the QUIC implementation, which could
be vulnerable to denial-of-service attacks.
* In forwarding rules, the target can now optionally include a non-standard
DNS port number. The port number is also now optional when using IPv6.
* An annoying log message related to permissions on Windows has been
suppressed.
* Resolver IP addresses can now be refreshed more frequently. Additionally,
jitter has been introduced to prevent all resolvers from being refreshed
simultaneously. Further changes have been implemented to mitigate issues
arising from multiple concurrent attempts to resolve a resolver's IP
address.
* An empty value for "tls_cipher_suite" is now equivalent to leaving the
property undefined. Previously, it disabled all TLS cipher suites, which had
little practical justification.
* In forwarding rules, an optional `*.` prefix is now accepted.
OBS-URL: https://build.opensuse.org/request/show/1264791
OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=56
- Update to version 2.1.6
* Forwarding: in the list of servers for a zone, the `$BOOTSTRAP` keyword can be included as a shortcut to forward to the bootstrap servers. And the `$DHCP` keyword can be included to forward to the DNS resolvers provided by the local DHCP server. Based on work by YX Hao, thanks! DHCP forwarding should be considered experimental and my not work on all operating systems. A rule for a zone can mix and match multiple forwarder types, such as `10.0.0.1,10.0.0.254,$DHCP,192.168.1.1,$BOOTSTRAP`. Note that this is not implemented for captive portals yet.
* Lying resolvers are now skipped, instead of just printing an error. This doesn't apply to captive portal and forwarding entries, which are the only reasonable use case for lying resolvers.
* Support for XSalsa20 in DNSCrypt has been removed. This was not documented, and was supserseded by XChaCha20 in 2016.
* Source files are now fetched with compression.
* DNS64: compatibility has been improved.
* Forwarding: the root domain (`.`) can now be forwarded.
* The ARC caching algorithm has been replaced by the SIEVE algorithm.
* Properties of multiple servers are now updated simultaneously. The concurrency level can be adjusted with the new `cert_refresh_concurrency` setting. Contributed by YX Hao.
* MSI packages for DNSCrypt can now easily be built.
* New command-line flag: `-include-relays` to include relays in `-list` and `-list-all`.
* Support for DNS extended error codes has been added.
* Documentation updates, bug fixes, dependency updates.
- Drop quic-go.patch, for dnscrypt-proxy already pulls fixed quic-go v0.48.2
OBS-URL: https://build.opensuse.org/request/show/1236957
OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=53
- Update to version 2.0.45
* Configuration changes (to be required in versions 2.1.x):
- [blacklist] has been renamed to [blocked_names]
- [ip_blacklist] has been renamed to [blocked_ips]
- [whitelist] has been renamed to [allowed_names]
- generate-domains-blacklist.py has been renamed to
generate-domains-blocklist.py, and the configuration files
have been renamed as well.
* dnscrypt-proxy -resolve has been completely revamped, and now
requires the configuration file to be accessible. It will send
a query to an IP address of the dnscrypt-proxy server by default.
Sending queries to arbitrary servers is also supported with the
new -resolve name,address syntax.
* Relay lists can be set to * for automatic relay selection.
When a wildcard is used, either for the list of servers or relays,
the proxy ensures that relays and servers are on distinct networks.
* Lying resolvers are detected and reported.
* New return code: NOT_READY for queries received before the proxy
has been initialized.
* Server lists can't be older than a week any more, even if directory
permissions are incorrect and cache files cannot be written.
* New feature: allowed_ips, to configure a set of IP addresses to never
block no matter what DNS name resolves to them.
* Hard-coded IP addresses can be immediately returned for test queries
sent by operating systems in order to check for connectivity and captive portals.
Such responses can be sent even before an interface is considered as enabled by the
operating system. This can be configured in a new section called [captive_portals].
* On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses
that haven't been assigned to an interface yet.
* generate-domains-blocklist.py: regular expressions are now ignored in time-based entries.
OBS-URL: https://build.opensuse.org/request/show/860171
OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=30
