Software-update: Adguard Home 0.105.0

Adguard Home versie 0.105 is uitgekomen. Met deze software kan er thuis een dns-server worden opgezet om zo onder meer advertenties en malware te blokkeren op het gehele netwerk. Het is daarmee dus vergelijkbaar met Pi-hole. Adguard Home werkt op een machine met Windows, macOS, Linux of FreeBSD en is ook in staat om tegen phishing te beschermen en heeft het parental control. Op ons eigen forum kan over het programma worden gediscussieerd. De releasenotes voor deze uitgave zien er als volgt uit:

AdGuard Home v0.105.0

We took our sweet time with this update, but you'll most certainly find it to be worth the wait. The changelog contains three absolute bangers and a laundry list of lesser changes.

Client ID support for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS (#1387)

This feature would be really useful to those of you who run an encrypted DNS resolver on a public server. In short, you can now identify your devices not just by their IP address (which is, frankly, not too useful in a public server scenario), but by using a special "Client ID".

Here's how it works:

1. First, you add a client and specify an arbitrary string as its "Identifier", for instance, my-iphone.
2. On the client device you can now configure:
   • DNS-over-HTTPS: https://example.org/dns-query/my-iphone
   • DNS-over-TLS: tls://my-iphone.example.org (requires a Wildcard certificate)
   • DNS-over-QUIC: quic://my-iphone.example.org (requires a Wildcard certificate)
3. Queries and stats are now properly attributed to your device.

AdGuard as a DNSCrypt-resolver (#1361)

DNSCrypt was the very first DNS encryption protocol that got some traction. It may not be as popular as DoH/DoT/DoQ now, but it is still viable. Moreover, performance-wise DNSCrypt is better than any of them. And now that v0.105.0 is out, AdGuard Home can be configured to work as a DNSCrypt resolver!

However, here goes the tricky part. We haven't yet exposed these settings to the Web admin panel so if you want to have DNSCrypt, you'll need to follow this instruction and do it via editing the configuration file (AdGuardHome.yaml). Not that it would scare you off, would it?

Regarding DNSCrypt clients - AdGuard for Android, Windows and iOS support it, Mac will get its support pretty soon. Besides that, here is a long list of client software that supports it as well.

$dnsrewrite and $dnstype modifiers (#2102 #2337)

AdGuard Home now supports two more powerful rule modifiers that will help blocklists' maintainers.

• $dnstype lets you narrow down the rule scope and apply it only to queries of a specific type(s). For instance, Apple devices now support HTTPS DNS query type. While being generally a good thing, this new type may sometimes be harmful. By using $dnstype you can block it completely using a simple rule like this: $dnstype=HTTPS
• $dnsrewrite is another powerful modifier that allows you to modify DNS responses. Note that this modifier is much more powerful compared to something like a hosts file.

  Here are some examples:

  • ||example.org^$dnsrewrite=SERVFAIL;; - return SERVFAIL for example.org and all it's subdomains
  • |test.example.org^$dnsrewrite=NOERROR;TXT;hello_world - add a TXT record for test.example.org
  • |example.org^$dnsrewrite=example.com - redirect example.org to example.com
  • |example.org^$dnsrewrite=1.1.1.1 - redirect example.org to example.com
  • You can find more examples in the documentation.

Added

• Added more services to the "Blocked services" list (#2224, #2401).
• ipset subdomain matching, just like dnsmasq does (#2179).
• The host checking API and the query logs API can now return multiple matched rules (#2102).
• Detecting of network interface configured to have static IP address via /etc/network/interfaces (#2302).
• A 5 second wait period until a DHCP server's network interface gets an IP address (#2304).
• HTTP API request body size limit (#2305).

Changed

• Access-Control-Allow-Origin is now only set to the same origin as the domain, but with an HTTP scheme as opposed to * (#2484).
• workDir now supports symlinks.
• Stopped mounting together the directories /opt/adguardhome/conf and /opt/adguardhome/work in our Docker images (#2589).
• When dns.bogus_nxdomain option is used, the server will now transform responses if there is at least one bogus address instead of all of them (#2394). The new behavior is the same as in dnsmasq.
• Post-updating relaunch possibility is now determined OS-dependently (#2231, #2391).
• Made the mobileconfig HTTP API more robust and predictable, add parameters and improve error response (#2358).
• Improved HTTP requests handling and timeouts (#2343).
• Our snap package now uses the core20 image as its base (#2306).
• New build system and various internal improvements (#2271, #2276, #2297, #2509, #2552, #2639, #2646).

Deprecated

• Go 1.14 support. v0.106.0 will require at least Go 1.15 to build.
• The darwin/386 port. It will be removed in v0.106.0.
• The "rule" and "filter_id" fields in GET /filtering/check_host and
  GET /querylog responses. They will be removed in v0.106.0 (#2102).

Fixed

• Autoupdate bug in the Darwin (macOS) version (#2630).
• Unnecessary conversions from string to net.IP, and vice versa (#2508).
• Inability to set DNS cache TTL limits (#2459).
• Possible freezes on slower machines (#2225).
• A mitigation against records being shown in the wrong order on the query log page (#2293).
• A JSON parsing error in query log (#2345).
• Incorrect detection of the IPv6 address of an interface as well as another infinite loop in the /dhcp/find_active_dhcp HTTP API (#2355).

Removed

• The undocumented ability to use hostnames as any of bind_host values in the configuration. Documentation requires them to be valid IP addresses, and now the implementation makes sure that that is the case (#2508).
• Dockerfile (#2276). Replaced with the script scripts/make/build-docker.sh which uses scripts/make/Dockerfile.
• Support for pre-v0.99.3 format of query logs (#2102).