Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:AL:TW
dnscrypt-proxy
dnscrypt-proxy.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File dnscrypt-proxy.changes of Package dnscrypt-proxy
------------------------------------------------------------------- Sun Apr 21 12:00:00 UTC 2024 - cunix@mail.de - added patch quic-go.patch (boo#1222473) ------------------------------------------------------------------- Mon Feb 5 12:00:00 UTC 2024 - cunix@mail.de - use systemd sysusers ------------------------------------------------------------------- Sun Aug 13 12:00:00 UTC 2023 - cunix@mail.de - 2.1.5 - Update to version 2.1.5 * Responses to blocked queries now include extended error codes * Reliability of connections using HTTP/3 has been improved * New configuration directive: "tls_key_log_file" to dump TLS secret keys ------------------------------------------------------------------- Sat Feb 11 12:00:00 UTC 2023 - cunix@mail.de - 2.1.4 - Update to version 2.1.4 * Fixes a regression from version 2.1.3: when cloaking was enabled, blocked responses were returned for records that were not A/AAAA/PTR even for names that were not in the cloaked list. ------------------------------------------------------------------- Sun Feb 5 12:00:00 UTC 2023 - cunix@mail.de - 2.1.3 - Update to version 2.1.3 * DNS-over-HTTP/3 (QUIC) should be more reliable. In particular, version 2.1.2 required another (non-QUIC) resolver to be present for bootstrapping, or the resolver's IP address to be present in the stamp. This is not the case any more. * dnscrypt-proxy is now compatible with Go 1.20+ * Commands (-check, -show-certs, -list, -list-all) now ignore log files and directly output the result to the standard output. * The "cert_ignore_timestamp" configuration switch is now documented. It allows ignoring timestamps for DNSCrypt certificate verification, until a first server is available. This should only be used on devices that don't have any ways to set the clock before DNS service is up. However, a safer alternative remains to use an NTP server with a fixed IP address (such as time.google.com), configured in the captive portals file. * Cloaking: when a name is cloaked, unsupported record types now return a blocked response rather than the actual records. * systemd: report Ready earlier as dnscrypt-proxy can itself manage retries for updates/refreshes. * vendored dependencies updated ------------------------------------------------------------------- Tue Aug 2 12:00:00 UTC 2022 - cunix@mail.de - 2.1.2 - Update to version 2.1.2 * Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP. * fixed memory usage kept growing due to channels not being properly closed * DNS64: "CNAME" records are now translated like other responses * A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error * "dnscrypt-proxy -resolve" now reports if ECS (EDNS-clientsubnet) is supported by the server * "dnscrypt-proxy -list" now includes ODoH (Oblivious DoH) servers * Local DoH: queries made using the "GET" method are now handled * "PTR" queries are now supported for cloaked domains - Minimum golang version now at 1.18 ------------------------------------------------------------------- Wed Mar 22 12:00:00 UTC 2022 - cunix@mail.de - switched to vendored_licenses_packager as build dependency ------------------------------------------------------------------- Fri Oct 1 12:00:00 UTC 2021 - cunix@mail.de - 2.1.1 - Update to version 2.1.1 * Serve cached DoH responses when experiencing connectivity issues. * Time attributes in allow/block lists were ignored. * TTL served to clients is now rounded and starts decreasing before the first query is received. * Time-based rules are properly handled again in generate-domains-blocklist. * DoH/ODoH: entries with an IP address and using a non-standard port should not require help from a bootstrap resolver any more. ------------------------------------------------------------------- Sun Aug 15 12:00:00 UTC 2021 - cunix@mail.de - 2.1.0 - Update to version 2.1.0 * "fallback_resolvers" was renamed to "bootstrap_resolvers" Please update your configuration file accordingly. * Support for Oblivious DoH. * If the proxy is overloaded, cached and synthetic queries now keep being served, while non-cached queries are delayed. * Source URLs are now randomized. * Default "reject_ttl" reduced from 600 to 10 - Minimum golang version now at 1.16 - Find more "legal" files to include. ------------------------------------------------------------------- Sat Jan 30 12:00:00 UTC 2021 - cunix@mail.de - Use less predictable temporary files during build (bsc#1181502). ------------------------------------------------------------------- Thu Jan 7 20:00:00 UTC 2021 - cunix@mail.de - Added optional resolvconf support via systemd unit. ------------------------------------------------------------------- Mon Jan 4 20:00:00 UTC 2021 - cunix@mail.de - Minimum golang version now at 1.15 - Include 'notice' and 'patents' files of vendored packages. - Paths and hints in configuration file adjusted and added. ------------------------------------------------------------------- Mon Jan 4 11:45:57 UTC 2021 - Ismail Dönmez <idonmez@suse.com> - Update to version 2.0.45 * Configuration changes (to be required in versions 2.1.x): - [blacklist] has been renamed to [blocked_names] - [ip_blacklist] has been renamed to [blocked_ips] - [whitelist] has been renamed to [allowed_names] - generate-domains-blacklist.py has been renamed to generate-domains-blocklist.py, and the configuration files have been renamed as well. * dnscrypt-proxy -resolve has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of the dnscrypt-proxy server by default. Sending queries to arbitrary servers is also supported with the new -resolve name,address syntax. * Relay lists can be set to * for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks. * Lying resolvers are detected and reported. * New return code: NOT_READY for queries received before the proxy has been initialized. * Server lists can't be older than a week any more, even if directory permissions are incorrect and cache files cannot be written. * New feature: allowed_ips, to configure a set of IP addresses to never block no matter what DNS name resolves to them. * Hard-coded IP addresses can be immediately returned for test queries sent by operating systems in order to check for connectivity and captive portals. Such responses can be sent even before an interface is considered as enabled by the operating system. This can be configured in a new section called [captive_portals]. * On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses that haven't been assigned to an interface yet. * generate-domains-blocklist.py: regular expressions are now ignored in time-based entries. * Minor bug fixes and logging improvements. * Cloaking plugin: if an entry has multiple IP addresses for a type, all the IP addresses are now returned instead of a random one. * Static entries can now include DNSCrypt relays. * Name blocking: aliases relying on SVCB and HTTPS records can now be blocked in addition to aliases via regular CNAME records. * EDNS-Client-Subnet information can be added to outgoing queries. Instead of sending the actual client IP, ECS information is user configurable, and IP addresses will be randomly chosen for every query. * Initial DoH queries are now checked using random names in order to properly measure CDNs such as Tencent that ignore the padding. * DoH: the max-stale cache control directive is now present in queries. * Logs can now be sent to /dev/stdout instead of actual files. * New download mirror (https://download.dnscrypt.net) for resolvers, relays and parental-control. ------------------------------------------------------------------- Wed Jul 22 01:43:47 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com> - Sort file lists to make package build reproducible ------------------------------------------------------------------- Tue Jun 30 12:00:00 UTC 2020 - cunix@mail.de - Made PID available in /run/dnscrypt-proxy/dnscrypt-proxy.pid through systemd service unit. - README.openSUSE updated. - dnscrypt-proxy.socket.conf added as example for a systemd drop-in file to override the socket unit. ------------------------------------------------------------------- Fri Jun 12 12:00:00 UTC 2020 - cunix@mail.de - 2.0.44 - Update to version 2.0.44 * Netprobes and listening sockets are now ignored when the '-list', '-list-all', '-show-certs' or '-check' command-line switches are used. * 'tls_client_auth' was renamed to 'doh_client_x509_auth'. A section with the previous name is temporarily ignored if empty, but will error out if not. * Updates to the set of block lists. - Breaking change from 2.0.43 Update: The 'tls_client_auth' section was renamed to 'doh_client_x509_auth'. If you had a tls_client_auth section in the configuration file, it needs to be updated/renamed/deleted. ------------------------------------------------------------------- Tue Jun 09 16:00:00 UTC 2020 - cunix@mail.de - 2.0.43 - Minimum golang version now at 1.14 - Update to version 2.0.43 * When stored into a file, service logs now only contain data from the most recent launch. This can be changed with the new 'log_file_latest' option. * Support for DNS64 translation implemented. * Connections to DoH servers can be authenticated using TLS client certificates. * Multiple stamps are now allowed for a single server in resolvers and relays lists. * Updates and additions for the example domain block lists. * Cached configuration files can now be temporarily used if they are out of date, but bootstraping is impossible. * 'generate-domains-blacklists' now tries to deduplicate entries clobbered by wildcard rules. * 'generate-domains-blacklists' can now directly write lists to a file with the `-o` command-line option. * Cache files are now downloaded as the user the daemon will be running as. This fixes permission issues at startup time. * Forwarded queries are now subject to global timeouts, and can be forced to use TCP. * The 'ct' parameter has been removed from DoH queries, as Google doesn't require it any more. ------------------------------------------------------------------- Sat May 23 12:00:00 UTC 2020 - cunix@mail.de - 2.0.42 - Upgrade to 2.0.42 (boo#1165343) - Spec files from home:darix:apps/dnscrypt-proxy and home:cunix:go/dnscrypt-proxy2 merged into existing spec. - v1 of dnscrypt-proxy is not supported anymore and v2 is a new project. This will require v1 users to migrate their configuration. - dnscrypt-proxy-default-config.patch deleted because patched file 'dnscrypt-proxy.conf' is not used anymore. ------------------------------------------------------------------- Thu Dec 19 15:27:22 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org> - BuildRequire pkgconfig(libsystemd) instead of systemd-devel: Allow OBS to shortcut through the -mini flavors. ------------------------------------------------------------------- Mon Oct 23 08:42:59 UTC 2017 - bwiedemann@suse.com - Make builds reproducible by using a constant __DATE__ (boo#1047218) ------------------------------------------------------------------- Wed Sep 6 08:51:47 UTC 2017 - jengelh@inai.de - Errors from user creation from pre scriptlet must not be ignored. - Ensure neutrality of description. ------------------------------------------------------------------- Sat Aug 5 13:44:34 UTC 2017 - sebix+novell.com@sebix.at - use packaged dnscrypt-resolvers.csv - fix systemd macros ------------------------------------------------------------------- Sun Jul 9 19:35:45 UTC 2017 - sebix+novell.com@sebix.at - upgrade to 1.9.5, shortened upstream changelog: * Cache plugin: fix the way items are moved from recent to frequent lists * In addition to making the cache work as expected, this prevents `CacheEntry` items from becoming orphans. * Cache plugin: fix the way items are moved from recent to frequent lists * In addition to making the cache work as expected, this prevents `CacheEntry` items from becoming orphans. * Adding Babylon Network resolvers (#647) * Update resolvers list * Reset the reachability of nameservers if all are unreachable (#609) * If all nameservers have been marked unreachable, they will not be queried * again until dnscrypt-proxy is restarted. This fix allows for queries to be * retried without restarting dnscrypt-proxy. * Doc error: client-pk is the client' public key. Spotted by @willnix Fixes #603 * Whitelist some TLDs typically used on local networks * Normalize the dnscrypt-resolvers.csv format * ldns-blocking: fix another corner case with suffix matching Ruleset: ``` *.example.com ru.example.com ``` A query for `xru.example.com` would find `ru.example.com` as the longest suffix. The expression didn't match since this is neither an exact match nor a match that stops at a label. However, this was ignoring the fact that there a different, shorter rule could match. This is pretty annoying, as keeping our promise to log the longest match means that we need at least yet another lookup in that specific case. Alternatively, the fpst lookup function could be specialized to stop at labels, but that would defeat the point of this example plugin. So, perform an extra lookup after striping the first (last, once the name is reversed) label. * Added pidfile - specfile fixes, cleanup ------------------------------------------------------------------- Sun Jan 29 08:58:58 UTC 2017 - i@marguerite.su - update version 1.9.4 * The resolver name can be set to 'random' in order to pick a random resolver. * changelog for older releases see github/jedisct1/dnscrypt-proxy - use upstream configuration instead ------------------------------------------------------------------- Sun Jan 29 04:20:43 UTC 2017 - i@marguerite.su - drop /etc/sysconfig/dnscrypt-proxy, it can'be used in instantiated services, now instantiated services should be started with "sudo systemctl start dnscrypt-proxy@config.service", the switch from IP:Port to Config is because we need not only the IP:Port customizable, but also the DNSCRYPT_RESOLVER_NAME, to start multi- instances. (boo#977946) - add /etc/dnscrypt-proxy.conf.d directory for configurations. ------------------------------------------------------------------- Sat Aug 13 13:52:25 UTC 2016 - i@marguerite.su - switched to systemd template service. in the future, users should use 'sudo systemctl start dnscrypt-proxy@127.0.0.1:53.service' to start the service. any local address can be used. - dropped dnscrypt-proxy.socket again. the listen address in the socket can't be substituted at runtime that makes it impossible to use multiple instances. and it doesn't work together with the forking method in our systemd service. - move pidfile and logfile into their own directories. in previous submit, we finnaly used the user 'dnscrypt' to start the job, but that user doesn't have write permission for /var/run and /var/log. - dropped the /usr/sbin/dnscrypt wrapper that broke the systemd service from forking. we used EnvironmentFile in systemd service to load the user-customizable variables. - changed /etc/sysconfig/dnscrypt to /etc/sysconfig/dnscrypt-proxy. deleted those plugin items that can't be loaded by systemd. users can use DNSCRYPT_OPTIONS to configure the plugins anyway, no need to keep those placeholders. ------------------------------------------------------------------- Sat Aug 6 04:14:25 UTC 2016 - i@marguerite.su - update version 1.7.0 * Plugins are now enabled by default. * New command-line option: `--ignore-timestamps` to ignore timestamps when performing certificate validation. * New command-line option: `--syslog-prefix` to add a prefix to log messages. * Certificates can now be retrieved using TCP. * Libevent was updated to version 2.0.23. * Certificates serial numbers are printed as a string if possible. * The list of known public resolvers was updated. - add upstream's systemd socket, fix boo#977946 again ------------------------------------------------------------------- Thu Jun 9 09:59:26 UTC 2016 - i@marguerite.su - fix boo#977946 & boo#957003 * use %fillup_only macro right. can't skip "-n", or it'll use package name while sysconfig.dnscrypt-proxy doesn't exist. - use %fillup_prereq macro - move libraries out from -devel subpackage, it's just not right. - don't link dnscrypt-proxy.8.gz to dnscrypt.8.gz - don't link /sbin/service to /sbin/rcdnscrypt. * that method is used for backward compability w/ SysVInit service while /sbin/dnscrypt is a wrapper to the actual command, and dnscrypt is not a valid service name but dnscrypt-proxy. ------------------------------------------------------------------- Fri Feb 12 00:00:00 CET 2016 - dsterba@suse.cz * version 1.6.1: - Security: malformed packets could cause the OpenDNS deviceid, OpenDNS set-client-ip, blocking and AAAA blocking plugins to use uninitialized pointers, leading to a denial of service or possibly code execution. The vulnerable code is present since dnscrypt-proxy 1.1.0. OpenDNS users and people using dnscrypt-proxy in order to block domain names and IP addresses should upgrade as soon as possible. - add dnscrypt-resolvers.csv from git (41c6d8bb1f49a0216357) ------------------------------------------------------------------- Fri Dec 18 00:00:00 CET 2015 - dsterba@suse.cz - add dnscrypt-resolvers.csv from git (e6b4e93d07bdce39d4656c5a6) - change default resolver to cisco (bnc#957003) ------------------------------------------------------------------- Tue Sep 1 00:00:00 CEST 2015 - dsterba@suse.cz * version 1.6.0: - New feature: public-key based client authentication (-K), for private and commercial DNS services to securely authenticate the sender of a query no matter what the source IP address is, without altering the DNS query. * version 1.5.0: - New option: -E, to use an ephemeral key pair for each query. - Logging to files is supported on Windows. - TCP FASTOPEN is now enabled on Linux. * version 1.4.4 - edns used by default - server list updated - various build fixes - spec file cleanup ------------------------------------------------------------------- Fri Mar 6 00:00:00 CET 2015 - dsterba@suse.cz - update to 1.4.3 - libevent update, including a fix for CVE-2014-6272 - Two new public dnscrypt resolvers were added: opennic-us-wa-ns1 and dnscrypt.org-fr - d0wn servers in France IP have changed. - Compilation fixes. - version 1.4.2 - New compilation switch: --with-systemd, to enable socket activation support when using systemd - The list of public DNSCrypt-enabled resolvers was updated - Libevent2 updates - add sysconfig file for more flexible configuration - build -devel package and enable plugins - create user dnscrypt:dnscrypt during installation ------------------------------------------------------------------- Wed Oct 1 15:04:43 CEST 2014 - dsterba@suse.cz - update to 1.4.1 ------------------------------------------------------------------- Fri May 2 11:27:44 UTC 2014 - i@marguerite.su - update version 1.4.0 * see https://github.com/jedisct1/dnscrypt-proxy/commits/master ------------------------------------------------------------------- Tue Oct 23 16:58:22 UTC 2012 - i@marguerite.su - fix a hang bug in dnscrypt.service - upstream clarify license, it's BSD. ------------------------------------------------------------------- Sun Oct 21 18:28:26 UTC 2012 - i@marguerite.su - add systemd service. ------------------------------------------------------------------- Sun Oct 21 12:57:13 UTC 2012 - i@marguerite.su - Version 1.2.0: * A pre-filter can now totally bypass the resolver and directly send a reply to the client. * A new example plugin has been shipped: ldns-aaaa-blocking. It directly sends an empty response to AAAA queries in order to significantly speed up lookups on hosts without IPv6 connectivity (but with clients still asking for AAAA records anyway). * Example plugins requiring ldns can be compiled on Windows. * Paths with a drive name are now recognized as absolute paths on Windows.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor