Release 2.1.7

• This version reintroduces support for XSalsa20 enryption in DNSCrypt, which was removed in 2.1.6. Unfortunately, a bunch of servers still only support that encryption system.
• A check for lying resolvers was added for DNSCrypt, similar to the one that was already present for DoH and ODoH.
• Binary packages for Windows/ARM are now available, albeit not in MSI format yet.

Release 2.1.6

• Forwarding: in the list of servers for a zone, the $BOOTSTRAP keyword can be included as a shortcut to forward to the bootstrap servers. And the $DHCP keyword can be included to forward to the DNS resolvers provided by the local DHCP server. Based on work by YX Hao, thanks! DHCP forwarding should be considered experimental and may not work on all operating systems. A rule for a zone can mix and match multiple forwarder types, such as 10.0.0.1,10.0.0.254,$DHCP,192.168.1.1,$BOOTSTRAP. Note that this is not implemented for captive portals yet.
• Lying resolvers are now skipped, instead of just printing an error. This doesn't apply to captive portal and forwarding entries, which are the only reasonable use case for lying resolvers.
• Support for XSalsa20 in DNSCrypt has been removed. This was not documented, and was supserseded by XChaCha20 in 2016.
• Source files are now fetched with compression.
• DNS64: compatibility has been improved.
• Forwarding: the root domain (.) can now be forwarded.
• The ARC caching algorithm has been replaced by the SIEVE algorithm.
• Properties of multiple servers are now updated simultaneously. The concurrency level can be adjusted with the new cert_refresh_concurrency setting. Contributed by YX Hao.
• MSI packages for DNSCrypt can now easily be built.
• New command-line flag: -include-relays to include relays in -list and -list-all.
• Support for DNS extended error codes has been added.
• Documentation updates, bug fixes, dependency updates.

Release 2.1.5

• dnscrypt-proxy can be compiled with Go 1.21.0+
• Responses to blocked queries now include extended error codes
• Reliability of connections using HTTP/3 has been improved
• New configuration directive: tls_key_log_file. When defined, this is the path to a file where TLS secret keys will be written to, so that DoH traffic can be locally inspected.

Release 2.1.4

Version 2.1.4

• Fixes a regression from version 2.1.3: when cloaking was enabled, blocked responses were returned for records that were not A/AAAA/PTR even for names not in the cloaked list.

Release 2.1.3

Version 2.1.3

• DNS-over-HTTP/3 (QUIC) should be more reliable. In particular, version 2.1.2 required another (non-QUIC) resolver to be present for bootstrapping, or the resolver's IP address to be present in the stamp. This is not the case any more.
• dnscrypt-proxy is now compatible with Go 1.20+
• Commands (-check, -show-certs, -list, -list-all) now ignore log files and directly output the result to the standard output.
• The cert_ignore_timestamp configuration switch is now documented. It allows ignoring timestamps for DNSCrypt certificate verification, until a first server is available. This should only be used on devices that don't have any ways to set the clock before DNS service is up. However, a safer alternative remains to use an NTP server with a fixed IP address (such as time.google.com), configured in the captive portals file.
• Cloaking: when a name is cloaked, unsupported record types now return a blocked response rather than the actual records.
• systemd: report Ready earlier as dnscrypt-proxy can itself manage retries for updates/refreshes.

Release 2.1.2

• Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added. Compatible servers will automatically use it. Note that QUIC uses UDP (usually over port 443, like DNSCrypt) instead of TCP.
• In previous versions, memory usage kept growing due to channels not being properly closed, causing goroutines to pile up. This was fixed,
  resulting in an important reduction of memory usage. Thanks to @lifenjoiner for investigating and fixing this!
• DNS64: CNAME records are now translated like other responses. Thanks to @ignoramous for this!
• A relay whose name has been configured, but doesn't exist in the list of available relays is now a hard error. Thanks to @lifenjoiner!
• Mutexes/locking: bug fixes and improvements, by @ignoramous - Official packages now include linux/riscv64 builds.
• dnscrypt-proxy -resolve now reports if ECS (EDNS-clientsubnet) is supported by the server.
• dnscrypt-proxy -list now includes ODoH (Oblivious DoH) servers.
• Local DoH: queries made using the GET method are now handled.
• The service can now be installed on OpenRC-based systems.
• PTR queries are now supported for cloaked domains. Contributed by Ian Bashford, thanks!

Release 2.1.1

This is a bugfix only release, addressing regressions introduced in version 2.1.0:

• When using DoH, cached responses were not served any more when experiencing connectivity issues. This has been fixed.
• Time attributes in allow/block lists were ignored. This has been fixed.
• The TTL as served to clients is now rounded and starts decreasing before the first query is received.
• Time-based rules are properly handled again in generate-domains-blocklist.
• DoH/ODoH: entries with an IP address and using a non-standard port used to require help from a bootstrap resolver. This is not the case any more.

Release 2.1.0

Version 2.1.0

• dnscrypt-proxy now includes support for Oblivious DoH.
• If the proxy is overloaded, cached and synthetic queries now keep being served, while non-cached queries are delayed.
• A deprecation warning was added for fallback_resolvers.
• Source URLs are now randomized.
• On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
• fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.

2.0.46-beta3

Version 2.0.46 (not released yet, may become 2.1.0)

beta 3:

• Add support for the final version of the Oblivious DoH specification.

beta 2:

• Relays are now mandatory for ODoH servers.
• Routes with server_name = '*' now correctly handle both relay types.
• A deprecation warning was added for fallback_resolvers.

beta 1:

• Source URLs are now randomized.
• On some platforms, redirecting the application log to a file was not
  compatible with user switching; this has been fixed.
• fallback_resolvers was renamed to bootstrap_resolvers for
  clarity. Please update your configuration file accordingly.
• Preliminary support for ODoH (Oblivious DoH) was added. Thanks to
  Chris Wood for his help on this!

2.0.46-beta2

Version 2.0.46 (not released yet, may become 2.1.0)

beta 2:

• Relays are now mandatory for ODoH servers.
• Routes with server_name = '*' now correctly handle both relay types.
• A deprecation warning was added for fallback_resolvers.

beta 1:

• Source URLs are now randomized.
• On some platforms, redirecting the application log to a file was not compatible with user switching; this has been fixed.
• fallback_resolvers was renamed to bootstrap_resolvers for clarity. Please update your configuration file accordingly.
• Preliminary support for ODoH (Oblivious DoH) was added. Thanks to Chris Wood for his help on this!