Update adguard/adguardhome Docker tag to v0.107.71

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
adguard/adguardhome (source)	minor	v0.103.3 -> v0.107.71

---

Release Notes

AdguardTeam/AdGuardHome (adguard/adguardhome)

v0.107.71

Compare Source

See also the v0.107.71 GitHub milestone.

Changed

• Stale records in optimistic DNS cache now have an upper age limit controlled by dns.cache_optimistic_max_age. The default value is 12 hours.

• TTL for stale answers from optimistic DNS cache is now controlled by dns.cache_optimistic_answer_ttl. The default value is 30 seconds.

Configuration changes

In this release, the schema version has changed from 31 to 32.

• Added a new string fields dns.cache_optimistic_answer_ttl and dns.cache_optimistic_max_age.

  # BEFORE:
  'dns':
    'cache_enabled': true
    'cache_optimistic': true
    # …
  
  # AFTER:
  'dns':
    'cache_enabled': true
    'cache_optimistic': true
    'cache_optimistic_answer_ttl': '30s'
    'cache_optimistic_max_age': '12h'
    # …
    ```
  
  To roll back this change, set the `schema_version` back to `31`.

Fixed

• Optimistic DNS cache not working (#​8148).

v0.107.70

Compare Source

See also the v0.107.70 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.25.5.

Added

• New field "start_time" in the GET /control/status response.

Changed

• Stale records in optimistic DNS cache now have an upper age limit of 12 hours.

• New blocked services UI.

Fixed

• Generated mobileconfig could not be installed on macOS 26.1.

v0.107.69

Compare Source

See also the v0.107.69 GitHub milestone.

Changed

• Node.js 24 is now used to build the frontend.

Deprecated

• Node.js 20 and 22 support.

Fixed

• DHCP settings could not be saved (#​8075).

• DNS Rewrite edit modal did not populate with the correct values (#​8072).

Removed

• The outdated querylog anonymization script.

v0.107.68

Compare Source

See also the v0.107.68 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.25.3.

Added

• New DNS rewrite settings endpoints GET /control/rewrite/settings and PUT /control/rewrite/settings/update (#​1765). See openapi/openapi.yaml for details.

• New fields "groups" and "group_id" added to the HTTP API (GET /control/blocked_services/all). See openapi/openapi.yaml for the full description.

Changed

• POST /control/rewrite/add and PUT /control/rewrite/update now accept the optional field "enabled" (#​1765). See openapi/openapi.yaml for details.

Configuration changes

In this release, the schema version has changed from 30 to 31.

• Added a new boolean field filtering.rewrites_enabled to globally enable/disable DNS rewrites.

• Added a new boolean field enabled for each entry in filtering.rewrites to toggle individual rewrites.

  # BEFORE:
  'filtering':
    'rewrites':
      - 'domain': test.example
        'answer': 192.0.2.0
    # …
  
  # AFTER:
  'filtering':
    'rewrites_enabled': true
    'rewrites':
      - 'domain': test.example
        'answer': 192.0.2.0
        'enabled': true
    # …

  To roll back this change, set schema_version back to 30.

v0.107.67

Compare Source

See also the v0.107.67 GitHub milestone.

Added

• The HaGeZi's DNS Rebind Protection filter for protecting against DNS rebinding attacks (#​102).

• Support for configuring the suggested default HTTP port for the installation wizard via the ADGUARD_HOME_DEFAULT_WEB_PORT environment variable (useful for vendors).

Changed

• Optimized matching of filtering rules.

Fixed

• Excessive configuration file overwrites when visiting the Web UI and a non-empty language is set.

• Lowered the severity of log messages for failed deletion of old filter files (#​7964).

v0.107.66

Compare Source

See also the v0.107.66 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.25.1.

Changed

• Our snap package now uses the core24 image as its base.

• Outgoing HTTP requests now use the User-Agent header AdGuardHome/v0.107.66 (where v0.107.66 is the current version) instead of Go-http-client/1.1 (#​7979).

Fixed

• Authentication errors in the Web UI when AdGuard Home is behind a proxy that sets Basic Auth headers (#​7987).

• The HTTP API GET /control/profile endpoint failing when no users were configured (#​7985).

• Missing warning on the Encryption Settings page when using a certificate without an IP address.

v0.107.65

Compare Source

See also the v0.107.65 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.6.

Added

• A separate checkbox in the Web UI to enable or disable the global DNS response cache without losing the configured cache size.

• A new "cache_enabled" field to the HTTP API (GET /control/dns_info and POST /control/dns_config). See openapi/openapi.yaml for the full description.

Changed

Configuration changes

In this release, the schema version has changed from 29 to 30.

• Added a new boolean field dns.cache_enabled to the configuration. This field explicitly controls whether DNS caching is enabled, replacing the previous implicit logic based on dns.cache_size.

  # BEFORE:
  'dns':
      # …
      'cache_size': 123456
  
  # AFTER:
  'dns':
      # …
      'cache_enabled': true
      'cache_size': 123456

  To roll back this change, set the schema_version back to 29.

Fixed

• Disabled state of Top clients action button in web UI (#​7923).

v0.107.64

Compare Source

See also the v0.107.64 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.5.

Fixed

• TTL override calculation (#​7903).
• Validation process for DNSCrypt settings (#​7856).

v0.107.63

Compare Source

See also the v0.107.63 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.4.

Fixed

• The hostnames of DHCP clients with multiple labels not being recognized.

• Status reported by the systemd service implementation in cases of auto-restart after a failed start.

v0.107.62

Compare Source

See also the v0.107.62 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.3.

Fixed

• Clients with CIDR identifiers showing zero requests on the Settings → Client settings page (#​2945).

• Command line option --update when the dns.serve_plain_dns configuration property was disabled (#​7801).

• DNS cache not working for custom upstream configurations.

• Validation process for the DNS-over-TLS, DNS-over-QUIC, and HTTPS ports on the Encryption Settings page.

• Searching for persistent clients using an exact match for CIDR in the POST /clients/search HTTP API.

v0.107.61

Compare Source

See also the v0.107.61 GitHub milestone.

Security

• Any simultaneous requests that are considered duplicates will now only result in a single request to upstreams, reducing the chance of a cache poisoning attack succeeding. This is controlled by the new configuration object pending_requests, which has a single enabled property, set to true by default.

  NOTE: We thank Xiang Li for reporting this security issue. It's strongly recommended to leave it enabled, otherwise AdGuard Home will be vulnerable to untrusted clients.

v0.107.60

Compare Source

See also the v0.107.60 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.2.

Changed

• Alpine Linux version in Dockerfile has been updated to 3.21 (#​7588).

Deprecated

• Node 20 support, Node 22 will be required in future releases.

  NOTE: npm may be replaced with a different tool, such as pnpm or yarn, in a future release.

Fixed

• Filtering for DHCP clients (#​7734).

• Incorrect label on login page (#​7729).

• Validation process for the HTTPS port on the Encryption Settings page.

Removed

• Node 18 support.

v0.107.59

Compare Source

See also the v0.107.59 GitHub milestone.

• Rules with the client modifier not working (#​7708).

• The search form not working in the query log (#​7704).

v0.107.58

Compare Source

See also the v0.107.58 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.24.1.

Added

• The ability to check filtering rules for host names using an optional query type and optional ClientID or client IP address (#​4036).

• Optional client and qtype URL query parameters to the GET /control/check_host HTTP API.

Fixed

• Clearing the DNS cache on the DNS settings page now includes both global cache and custom client cache.

• Invalid ICMPv6 Router Advertisement messages (#​7547).

• Disabled button for autofilled login form.

• Formatting of elapsed times less than one millisecond.

• Changes to global upstream DNS settings not applying to custom client upstream configurations.

• The formatting of large numbers in the clients tables on the Client settings page (#​7583).

v0.107.57

Compare Source

See also the v0.107.57 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.6.

Added

• The ability to specify the upstream timeout in the Web UI.

Changed

• The Fastest IP address upstream mode now correctly collects statistics for all upstream DNS servers.

Fixed

• The hostnames of DHCP clients not being shown in the Top clients table on the dashboard (#​7627).

• The formatting of large numbers in the upstream table and query log (#​7590).

v0.107.56

Compare Source

See also the v0.107.56 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.5.

Added

• The new HTTP API POST /clients/search that finds clients by their IP addresses, CIDRs, MAC addresses, or ClientIDs. See openapi/openapi.yaml for the full description.

Deprecated

• The GET /clients/find HTTP API is deprecated. Use the new POST /clients/search API.

Fixed

• Request count link in the clients table (#​7513).

• The formatting of large numbers on the dashboard (#​7329).

v0.107.55

Compare Source

See also the v0.107.55 GitHub milestone.

Security

• The permission check and migration on Windows has been fixed to use the Windows security model more accurately (#​7400).

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.4.

• The Windows executables are now signed.

Added

• The --no-permcheck command-line option to disable checking and migration of permissions for the security-sensitive files and directories, which caused issues on Windows (#​7400).

Fixed

• Setup guide styles in Firefox.

• Goroutine leak during the upstream DNS server test (#​7357).

• Goroutine leak during configuration update resulting in increased response time ([#​6818]).

v0.107.54

Compare Source

See also the v0.107.54 GitHub milestone.

Security

• Incorrect handling of sensitive files permissions on Windows (#​7314).

Changed

• Improved filtering performance (#​6818).

Fixed

• Repetitive statistics log messages (#​7338).

• Custom client cache (#​7250).

• Missing runtime clients with information from the system hosts file on first AdGuard Home start (#​7315).

v0.107.53

Compare Source

See also the v0.107.53 GitHub milestone.

Security

• Previous versions of AdGuard Home allowed users to add any system file it had access to as filters, exposing them to be world-readable. To prevent this, AdGuard Home now allows adding filtering-rule list files only from files matching the patterns enumerated in the filtering.safe_fs_patterns property in the configuration file.

  We thank @​itz-d0dgy for reporting this vulnerability, designated CVE-2024-36814, to us.

• Additionally, AdGuard Home will now try to change the permissions of its files and directories to more restrictive ones to prevent similar vulnerabilities as well as limit the access to the configuration.

  We thank @​go-compile for reporting this vulnerability, designated CVE-2024-36586, to us.

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.2.

Added

• Support for 64-bit RISC-V architecture (#​5704).

• Ecosia search engine is now supported in safe search (#​5009).

Changed

• Upstream server URL domain names requirements has been relaxed and now follow the same rules as their domain specifications.

Configuration changes

In this release, the schema version has changed from 28 to 29.

• The new array filtering.safe_fs_patterns contains glob patterns for paths of files that can be added as local filtering-rule lists. The migration should add list files that have already been added, as well as the default value, $DATA_DIR/userfilters/*.

Fixed

• Property clients.runtime_sources.dhcp in the configuration file not taking effect.

• Stale Google safe search domains list (#​7155).

• Bing safe search from Edge sidebar (#​7154).

• Text overflow on the query log page (#​7119).

Known issues

• Due to the complexity of the Windows permissions architecture and poor support from the standard Go library, we have to postpone the proper automated Windows fix until the next release.

  Temporary workaround: Set the permissions of the AdGuardHome directory to more restrictive ones manually. To do that:

  1. Locate the AdGuardHome directory.

  2. Right-click on it and navigate to Properties → Security → Advanced.

  3. (You might need to disable permission inheritance to make them more restricted.)

  4. Adjust to give the Full control access to only the user which runs AdGuard Home. Typically, Administrator.

v0.107.52

Compare Source

See also the v0.107.52 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.22.5.

Added

• The ability to disable logging using the new log.enabled configuration property (#​7079).

Changed

• Frontend rewritten in TypeScript.

• The systemd-based service now uses journal for logging by default. It also doesn’t create the /var/log/ directory anymore (#​7053).

  NOTE: With an installed service for changes to take effect, you need to reinstall the service using -r flag of the install script or via the CLI (with root privileges):

  ./AdGuardHome -s uninstall
  ./AdGuardHome -s install

  Don’t forget to backup your configuration file and other important data before reinstalling the service.

Deprecated

• Node 18 support, Node 20 will be required in future releases.

Fixed

• Panic caused by missing user-specific blocked services object in configuration file (#​7069).

• Tracking /etc/hosts file changes causing panics within particular filesystems on start (#​7076).

v0.107.51

Compare Source

See also the v0.107.51 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.22.4.

Changed

• The HTTP server’s write timeout has been increased from 1 minute to 5 minutes to match the one used by AdGuard Home’s HTTP client to fetch filtering-list data (#​7041).

v0.107.50

Compare Source

See also the v0.107.50 GitHub milestone.

Fixed

• Broken private reverse DNS upstream servers validation causing update failures (#​7013).

v0.107.49

Compare Source

See also the v0.107.49 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.22.3.

Added

• Support for comments in the ipset file (#​5345).

Changed

• Private rDNS resolution now also affects SOA and NS requests (#​6882).

• Rewrite rules mechanics were changed due to improved resolving in safe search.

Deprecated

• Currently, AdGuard Home skips persistent clients that have duplicate fields when reading them from the configuration file. This behaviour is deprecated and will cause errors on startup in a future release.

Fixed

• Acceptance of duplicate UIDs for persistent clients at startup. See also the section on client settings on the [Wiki page][wiki-config].

• Domain specifications for top-level domains not considered for requests to unqualified domains (#​6744).

• Support for link-local subnets, i.e. fe80::/16, as client identifiers (#​6312).

• Issues with QUIC and HTTP/3 upstreams on older Linux kernel versions (#​6422).

• YouTube restricted mode is not enforced by HTTPS queries on Firefox.

• Support for link-local subnets, i.e. fe80::/16, in the access settings (#​6192).

• The ability to apply an invalid configuration for private rDNS, which led to server not starting.

• Ignoring query log for clients with ClientID set (#​5812).

• Subdomains of in-addr.arpa and ip6.arpa containing zero-length prefix incorrectly considered invalid when specified for private rDNS upstream servers (#​6854).

• Unspecified IP addresses aren’t checked when using "Fastest IP address" mode (#​6875).

v0.107.48

Compare Source

See also the v0.107.48 GitHub milestone.

Fixed

• Access settings not being applied to encrypted protocols (#​6890).

v0.107.47

Compare Source

See also the v0.107.47 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.22.2.

Changed

• Time Zone Database is now embedded in the binary (#​6758).

• Failed authentication attempts show the originating IP address in the logs, if the request came from a trusted proxy (#​5829).

Deprecated

• Go 1.22 support. Future versions will require at least Go 1.23 to build.

• Currently, AdGuard Home uses a best-effort algorithm to fix invalid IDs of filtering-rule lists on startup. This feature is deprecated, and invalid IDs will cause errors on startup in a future version.

• Node.JS 16. Future versions will require at least Node.JS 18 to build.

Fixed

• Resetting DNS upstream mode when applying unrelated settings (#​6851).

• Symbolic links to the configuration file begin replaced by a copy of the real file upon startup on FreeBSD (#​6717).

Removed

• Go 1.21 support.

v0.107.46

Compare Source

See also the v0.107.46 GitHub milestone.

Added

• Ability to disable the use of system hosts file information for query resolution (#​6610).

• Ability to define custom directories for storage of query log files and statistics (#​5992).

Changed

• Private rDNS resolution (dns.use_private_ptr_resolvers in YAML configuration) now requires a valid "Private reverse DNS servers", when enabled (#​6820).

  NOTE: Disabling private rDNS resolution behaves effectively the same as if no private reverse DNS servers provided by user and by the OS.

Fixed

• Statistics for 7 days displayed by day on the dashboard graph (#​6712).

• Missing "served from cache" label on long DNS server strings (#​6740).

• Incorrect tracking of the system hosts file’s changes (#​6711).

v0.107.45

Compare Source

See also the v0.107.45 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.21.8.

Added

• Context menu item in the Query Log to add a Client to the Persistent client list (#​6679).

Changed

• Starting with this release our scripts are using Go’s forward compatibility mechanism for updating the Go version.

  Important note for porters: This change means that if your go version is 1.21+ but is different from the one required by AdGuard Home, the go tool will automatically download the required version.

  If you want to use the version installed on your builder, run:

  go get go@$YOUR_VERSION
  go mod tidy

  and call make with GOTOOLCHAIN=local.

Deprecated

• Go 1.21 support. Future versions will require at least Go 1.22 to build.

Fixed

• Missing IP addresses in logs when querying for domain names from the ignore lists.

• Blank page after resetting access clients (#​6634).

• Wrong algorithm for caching bootstrapped upstream addresses (#​6723).

Removed

• Go 1.20 support, as it has reached end of life.

v0.107.44

Compare Source

See also the v0.107.44 GitHub milestone.

Added

• Timezones in the Etc/ area to the timezone list (#​6568).

• The schema version of the configuration file to the output of running AdGuardHome (or AdGuardHome.exe) with -v --version command-line options (#​6545).

• Ability to disable plain-DNS serving via UI if an encrypted protocol is already used ([#​1660]).

Changed

• The bootstrapped upstream addresses are now updated according to the TTL of the bootstrap DNS response (#​6321).

• Logging level of timeout errors is now error instead of debug (#​6574).

• The field "upstream_mode" in POST /control/dns_config and GET /control/dns_info HTTP APIs now accepts load_balance value. Check openapi/CHANGELOG.md for more details.

Configuration changes

In this release, the schema version has changed from 27 to 28.

• The new property clients.persistent.*.uid, which is a unique identifier of the persistent client.

• The properties dns.all_servers and dns.fastest_addr were removed, their values migrated to newly added field dns.upstream_mode that describes the logic through which upstreams will be used. See also a Wiki page.

BEFORE:

'dns':

…

    'all_servers': true
    'fastest_addr': true

AFTER:

'dns':

…

    'upstream_mode': 'parallel'
```

To rollback this change, remove the new field `upstream_mode`, set back `dns.all_servers` and `dns.fastest_addr` properties in `dns` section, and change the `schema_version` back to `27`.

Fixed

• “Invalid AddrPort” in the Private reverse DNS servers section on the Settings → DNS settings page.

• Panic on using --no-etc-hosts flag (#​6644).

• Schedule display in the client settings after creating or updating.

• Zero value in querylog.size_memory disables logging (#​6570).

• Non-anonymized IP addresses on the dashboard (#​6584).

• Maximum cache TTL requirement when editing minimum cache TTL in the Web UI (#​6409).

• Load balancing algorithm stuck on a single server (#​6480).

• Statistics for 7 days displayed as 168 hours on the dashboard.

• Pre-filling the Edit static lease window with data (#​6534).

• Names defined in the /etc/hosts for a single address family wrongly considered undefined for another family (#​6541).

• Omitted CNAME records in safe search results, which can cause YouTube to not work on iOS (#​6352).

v0.107.43

Compare Source

See also the v0.107.43 GitHub milestone.

Fixed

• Incorrect handling of IPv4-in-IPv6 addresses when binding to an unspecified address on some machines (#​6510).

v0.107.42

Compare Source

See also the v0.107.42 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-39326, CVE-2023-45283, and CVE-2023-45285 Go vulnerabilities fixed in Go 1.20.12.

Added

• Ability to set client’s custom DNS cache (#​6263).

• Ability to disable plain-DNS serving through configuration file if an encrypted protocol is already enabled (#​1660).

• Ability to specify rate limiting settings in the Web UI (#​6369).

Changed

Configuration changes

• The new property dns.serve_plain_dns has been added to the configuration file (#​1660).

• The property dns.bogus_nxdomain is now validated more strictly.

• Added new properties clients.persistent.*.upstreams_cache_enabled and clients.persistent.*.upstreams_cache_size that describe cache configuration for each client’s custom upstream configuration.

Fixed

• ipset entries family validation (#​6420).

• Pre-filling the New static lease window with data (#​6402).

• Protection pause timer synchronization (#​5759).

v0.107.41

Compare Source

See also the v0.107.41 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-45283 and CVE-2023-45284 Go vulnerabilities fixed in Go 1.20.11.

Added

• Ability to specify subnet lengths for IPv4 and IPv6 addresses, used for rate limiting requests, in the configuration file (#​6368).

• Ability to specify multiple domain specific upstreams per line, e.g. [/domain1/../domain2/]upstream1 upstream2 .. upstreamN (#​4977).

Changed

• Increased the height of the ready-to-use filter lists dialog (#​6358).

• Improved logging of authentication failures (#​6357).

Configuration changes

• New properties dns.ratelimit_subnet_len_ipv4 and dns.ratelimit_subnet_len_ipv6 have been added to the configuration file (#​6368).

Fixed

• Schedule timezone not being sent (#​6401).

• Average request processing time calculation (#​6220).

• Redundant truncation of long client names in the Top Clients table (#​6338).

• Scrolling column headers in the tables (#​6337).

• $important,dnsrewrite rules not overriding allowlist rules (#​6204).

• Dark mode DNS rewrite background (#​6329).

• Issues with QUIC and HTTP/3 upstreams on Linux (#​6335).

v0.107.40

Compare Source

See also the v0.107.40 GitHub milestone.

Changed

• Block and Unblock buttons of the query log moved to the tooltip menu (#​684).

Fixed

• Dashboard tables scroll issue (#​6180).

• The time shown in the statistics is one hour less than the current time (#​6296).

• Issues with QUIC and HTTP/3 upstreams on FreeBSD (#​6301).

• Panic on clearing the query log (#​6304).

v0.107.39

Compare Source

See also the v0.107.39 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-39323 and CVE-2023-39325 Go vulnerabilities fixed in Go 1.20.9 and Go 1.20.10.

Added

• Ability to edit static leases on DHCP settings page (#​1700).

• Ability to specify for how long clients should cache a filtered response, using the Blocked response TTL field on the DNS settings page (#​4569).

Changed

• ipset entries are updated more frequently (#​6233).

• Node.JS 16 is now required to build the frontend.

Fixed

• Incorrect domain-specific upstream matching for DS queries (#​6156).

• Improper validation of password length (#​6280).

• Wrong algorithm for filtering self addresses from the list of private upstream DNS servers (#​6231).

• An accidental change in DNS rewrite priority (#​6226).

v0.107.38

Compare Source

See also the v0.107.38 GitHub milestone.

Fixed

• Incorrect original answer when a response is filtered (#​6183).

• Comments in the Fallback DNS servers field in the UI (#​6182).

• Empty or default Safe Browsing and Parental Control settings (#​6181).

• Various UI issues.

v0.107.37

Compare Source

See also the v0.107.37 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-39318, CVE-2023-39319, and CVE-2023-39320 Go vulnerabilities fixed in Go 1.20.8.

Added

• AdBlock-style syntax support for ignored domains in logs and statistics (#​5720).

• Strict-Transport-Security header in the HTTP API and DNS-over-HTTPS responses when HTTPS is forced (#​2998). See [RFC 6797][rfc6797].

• UI for the schedule of the service-blocking pause ([#​951]).

• IPv6 hints are now filtered in case IPv6 addresses resolving is disabled (#​6122).

• The ability to set fallback DNS servers in the configuration file and the UI (#​3701).

• While adding or updating blocklists, the title can now be parsed from ! Title: definition of the blocklist’s source (#​6020).

• The ability to filter DNS HTTPS records including IPv4 and IPv6 hints (#​6053).

• Two new metrics showing total number of responses from each upstream DNS server and their average processing time in the Web UI (#​1453).

• The ability to set the port for the pprof debug API, see configuration changes below.

Changed

• $dnsrewrite rules containing IPv4-mapped IPv6 addresses are now working consistently with legacy DNS rewrites and match the AAAA requests.

• For non-A and non-AAAA requests, which has been filtered, the NODATA response is returned if the blocking mode isn’t set to Null IP. In previous versions it returned NXDOMAIN response in such cases.

Configuration changes

In this release, the schema version has changed from 24 to 27.

• Ignore rules blocking . in querylog.ignored and statistics.ignored have been migrated to AdBlock syntax (|.^). To rollback this change, restore the rules and change the schema_version back to 26.

• Filtering-related settings have been moved from dns section of the YAML configuration file to the new section filtering:

BEFORE:

'dns':
  'filtering_enabled': true
  'filters_update_interval': 24
  'parental_enabled': false
  'safebrowsing_enabled': false
  'safebrowsing_cache_size': 1048576
  'safesearch_cache_size': 1048576
  'parental_cache_size': 1048576
  'safe_search':
    'enabled': false
    'bing': true
    'duckduckgo': true
    'google': true
    'pixabay': true
    'yandex': true
    'youtube': true
  'rewrites': []
  'blocked_services':
    'schedule':
      'time_zone': 'Local'
    'ids': []
  'protection_enabled':        true,
  'blocking_mode':             'custom_ip',
  'blocking_ipv4':             '1.2.3.4',
  'blocking_ipv6':             '1:2:3::4',
  'blocked_response_ttl':      10,
  'protection_disabled_until': 'null',
  'parental_block_host':       'p.dns.adguard.com',
  'safebrowsing_block_host':   's.dns.adguard.com'

AFTER:

'filtering':
  'filtering_enabled': true
  'filters_update_interval': 24
  'parental_enabled': false
  'safebrowsing_enabled': false
  'safebrowsing_cache_size': 1048576
  'safesearch_cache_size': 1048576
  'parental_cache_size': 1048576
  'safe_search':
    'enabled': false
    'bing': true
    'duckduckgo': true
    'google': true
    'pixabay': true
    'yandex': true
    'youtube': true
  'rewrites': []
  'blocked_services':
    'schedule':
      'time_zone': 'Local'
    'ids': []
  'protection_enabled':        true,
  'blocking_mode':             'custom_ip',
  'blocking_ipv4':             '1.2.3.4',
  'blocking_ipv6':             '1:2:3::4',
  'blocked_response_ttl':      10,
  'protection_disabled_until': 'null',
  'parental_block_host':       'p.dns.adguard.com',
  'safebrowsing_block_host':   's.dns.adguard.com',
```

To rollback this change, remove the new object `filtering`, set back filtering properties in `dns` section, and change the `schema_version` back to `25`.

• Property debug_pprof which used to setup profiling HTTP handler, is now moved to the new pprof object under http section. The new object contains properties enabled and port:

BEFORE:

'debug_pprof': true

AFTER:

'http':
  'pprof':
    'enabled': true
    'port': 6060
```

Note that the new default `6060` is used as default.  To rollback this change, remove the new object `pprof`, set back `debug_pprof`, and change the `schema_version` back to `24`.

Fixed

• Incorrect display date on statistics graph (#​5793).

• Missing query log entries and statistics on service restart (#​6100).

• Occasional DNS-over-QUIC and DNS-over-HTTP/3 errors (#​6133).

• Legacy DNS rewrites containing IPv4-mapped IPv6 addresses are now matching the AAAA requests, not A (#​6050).

• File log configuration, such as max_size, being ignored (#​6093).

• Panic on using a single-slash filtering rule.

• Panic on shutting down while DNS requests are in process of filtering (#​5948).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.