AdGuard Home v0.107.34

This release improves the security of AdGuard Home and fixes a few larger issues.

Safe Browsing and CPU spikes

Back in June we released a security update to AdGuard Home with a few bugfixes. Ironically, it brought about another bug. Safe Browsing and Parental Control weren't working properly since then, which in some cases led to lowered performance, random crashes, and huge CPU spikes.

It took us an entire month to get to the bottom of this, and it certainly would have taken even longer if not for the awesome community members: @bigwookie, @TheCableGuy99, and others. It turned out that “The Big Bug” was, in fact, three smaller bugs in a trenchcoat. And they were all mercilessly dealt with in this update.

Docker HEALTHCHECK

Docker users should note that the Docker HEALTHCHECK mechanism has been removed, since it was causing a lot of issues, especially when used with Podman and other popular Docker tools.

Acknowledgements

A special thanks to our open-source contributor, @Jiraiya8, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

See also the v0.107.34 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-29406 Go vulnerability fixed in Go 1.19.11.

Added

• Ability to ignore queries for the root domain, such as NS . queries (#5990).

Changed

• Improved CPU and RAM consumption during updates of filtering-rule lists.

Configuration Changes

In this release, the schema version has changed from 23 to 24.

• Properties starting with log_, and verbose property, which used to set up logging are now moved to the new object log containing new properties file, max_backups, max_size, max_age, compress, local_time, and verbose:

  # BEFORE:
  'log_file': ""
  'log_max_backups': 0
  'log_max_size': 100
  'log_max_age': 3
  'log_compress': false
  'log_localtime': false
  'verbose': false
  
  # AFTER:
  'log':
      'file': ""
      'max_backups': 0
      'max_size': 100
      'max_age': 3
      'compress': false
      'local_time': false
      'verbose': false

  To rollback this change, remove the new object log, set back log_ and verbose properties and change the schema_version back to 23.

Deprecated

• Default exposure of the non-standard ports 784 and 8853 for DNS-over-QUIC in the Dockerfile.

Fixed

• Two unspecified IPs when a host is blocked in two filter lists (#5972).

• Incorrect setting of Parental Control cache size.

• Excessive RAM and CPU consumption by Safe Browsing and Parental Control filters (#5896).

Removed

• The HEALTHCHECK section and the use of tini in the ENTRYPOINT section in Dockerfile (#5939). They caused a lot of issues, especially with tools like docker-compose and podman.

  NOTE: Some Docker tools may cache ENTRYPOINT and HEALTHCHECK sections, so some users may be required to backup their configuration, stop the container, purge the old image, and reload it from scratch.

AdGuard Home v0.108.0-b.40

Changes compared to the previous beta, v0.108.0-b.39. See CHANGELOG.md for all changes.

Full changelog

Changed

• Improved CPU and RAM consumption during updates of filtering-rule lists.

Deprecated

• Default exposure of the non-standard ports 784 and 8853 for DNS-over-QUIC in the Dockerfile.

Fixed

• Two unspecified IPs when a host is blocked in two filter lists (#5972).

• Incorrect setting of Parental Control cache size.

• Excessive RAM and CPU consumption by Safe Browsing and Parental Control filters (#5896).

Removed

• The HEALTHCHECK section and the use of tini in the ENTRYPOINT section in Dockerfile (#5939). They caused a lot of issues, especially with tools like docker-compose and podman.

  NOTE: Some Docker tools may cache ENTRYPOINT sections, so some users may be required to backup their configuration, stop the container, purge the old image, and reload it from scratch.

AdGuard Home v0.108.0-b.39

Changes compared to the previous beta, v0.108.0-b.38. See CHANGELOG.md for all changes.

Acknowledgements

A special thanks to our open-source contributor, @Jiraiya8, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

Changed

Configuration Changes

In this release, the schema version has changed from 22 to 23.

• Properties bind_host, bind_port, and web_session_ttl which used to setup web UI binding configuration, are now moved to a new object http containing new properties address and session_ttl:

  # BEFORE:
  'bind_host': '1.2.3.4'
  'bind_port': 8080
  'web_session_ttl': 720
  
  # AFTER:
  'http':
    'address': '1.2.3.4:8080'
    'session_ttl': '720h'

  Note that the new http.session_ttl property is now a duration string. To rollback this change, remove the new object http, set back bind_host, bind_port, web_session_ttl, and change the schema_version back to 22.

Deprecated

• HEALTHCHECK and ENTRYPOINT sections in Dockerfile (#5939). They cause a lot of issues, especially with tools like docker-compose and podman, and will be removed in a future release.

Fixed

• Ignoring of /etc/hosts file when resolving the hostnames of upstream DNS servers (#5902).

AdGuard Home v0.107.33

Bugs need to be fixed, and that's just what we did in this release 🔧. Besides that, we've been working on internal improvements that will make it easier to add new features in future releases.

Acknowledgements

A special thanks to our open-source contributors, @agneevX and @Jiraiya8, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

See also the v0.107.33 GitHub milestone.

Added

• The new command-line flag --web-addr is the address to serve the web UI on, in the host:port format.

• The ability to set inactivity periods for filtering blocked services, both globally and per client, in the configuration file (#951). The UI changes are coming in the upcoming releases.

• The ability to edit rewrite rules via PUT /control/rewrite/update HTTP API and the Web UI (#1577).

Changed

Configuration Changes

In this release, the schema version has changed from 20 to 23.

• Properties bind_host, bind_port, and web_session_ttl which used to setup web UI binding configuration, are now moved to a new object http containing new properties address and session_ttl:

  # BEFORE:
  'bind_host': '1.2.3.4'
  'bind_port': 8080
  'web_session_ttl': 720
  
  # AFTER:
  'http':
    'address': '1.2.3.4:8080'
    'session_ttl': '720h'

  Note that the new http.session_ttl property is now a duration string. To rollback this change, remove the new object http, set back bind_host, bind_port, web_session_ttl, and change the schema_version back to 22.

• Property clients.persistent.blocked_services, which in schema versions 21 and earlier used to be a list containing ids of blocked services, is now an object containing ids and schedule for blocked services:

  # BEFORE:
  'clients':
    'persistent':
      - 'name': 'client-name'
        'blocked_services':
        - id_1
        - id_2
  
  # AFTER:
  'clients':
    'persistent':
    - 'name': client-name
      'blocked_services':
        'ids':
        - id_1
        - id_2
      'schedule':
        'time_zone': 'Local'
        'sun':
          'start': '0s'
          'end': '24h'
        'mon':
          'start': '1h'
          'end': '23h'

  To rollback this change, replace clients.persistent.blocked_services object with the list of ids of blocked services and change the schema_version back to 21.

• Property dns.blocked_services, which in schema versions 20 and earlier used to be a list containing ids of blocked services, is now an object containing ids and schedule for blocked services:

  # BEFORE:
  'blocked_services':
  - id_1
  - id_2
  
  # AFTER:
  'blocked_services':
    'ids':
    - id_1
    - id_2
    'schedule':
      'time_zone': 'Local'
      'sun':
        'start': '0s'
        'end': '24h'
      'mon':
        'start': '10m'
        'end': '23h30m'
      'tue':
        'start': '20m'
        'end': '23h'
      'wed':
        'start': '30m'
        'end': '22h30m'
      'thu':
        'start': '40m'
        'end': '22h'
      'fri':
        'start': '50m'
        'end': '21h30m'
      'sat':
        'start': '1h'
        'end': '21h'

  To rollback this change, replace dns.blocked_services object with the list of ids of blocked services and change the schema_version back to 20.

Deprecated

• HEALTHCHECK and ENTRYPOINT sections in Dockerfile (#5939). They cause a lot of issues, especially with tools like docker-compose and podman, and will be removed in a future release.

• Flags -h, --host, -p, --port have been deprecated. The -h flag will work as an alias for --help, instead of the deprecated --host in the future releases.

Fixed

• Ignoring of /etc/hosts file when resolving the hostnames of upstream DNS servers (#5902).

• Excessive error logging when using DNS-over-QUIC (#5285).

• Inability to set bind_host in AdGuardHome.yaml in Docker (#4231, #4235).

• The blocklists can now be deleted properly (#5700).

• Queries with the question-section target ., for example NS ., are now counted in the statistics and correctly shown in the query log (#5910).

• Safe Search not working with AAAA queries for domains that don't have AAAA records (#5913).

AdGuard Home v0.108.0-b.38

Changes compared to the previous beta, v0.108.0-b.37. See CHANGELOG.md for all changes.

Acknowledgements

A special thanks to our open-source contributor, @agneevX, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

Added

• The new command-line flag --web-addr is the address to serve the web UI on, in the host:port format.

• The ability to set inactivity periods for filtering blocked services, both globally and per client, in the configuration file (#951). The UI changes are coming in the upcoming releases.

• The ability to edit rewrite rules via PUT /control/rewrite/update HTTP API and the Web UI (#1577).

Changed

Configuration Changes

The schema version has changed from 20 to 22.

• Property clients.persistent.blocked_services, which in schema versions 21 and earlier used to be a list containing ids of blocked services, is now an object containing ids and schedule for blocked services:

  # BEFORE:
  'clients':
    'persistent':
      - 'name': 'client-name'
        'blocked_services':
        - id_1
        - id_2
  
  # AFTER:
  'clients':
    'persistent':
    - 'name': client-name
      'blocked_services':
        'ids':
        - id_1
        - id_2
      'schedule':
        'time_zone': 'Local'
        'sun':
          'start': '0s'
          'end': '24h'
        'mon':
          'start': '1h'
          'end': '23h'

  To rollback this change, replace clients.persistent.blocked_services object with the list of ids of blocked services and change the schema_version back to 21.

• Property dns.blocked_services, which in schema versions 20 and earlier used to be a list containing ids of blocked services, is now an object containing ids and schedule for blocked services:

  # BEFORE:
  'blocked_services':
  - id_1
  - id_2
  
  # AFTER:
  'blocked_services':
    'ids':
    - id_1
    - id_2
    'schedule':
      'time_zone': 'Local'
      'sun':
        'start': '0s'
        'end': '24h'
      'mon':
        'start': '10m'
        'end': '23h30m'
      'tue':
        'start': '20m'
        'end': '23h'
      'wed':
        'start': '30m'
        'end': '22h30m'
      'thu':
        'start': '40m'
        'end': '22h'
      'fri':
        'start': '50m'
        'end': '21h30m'
      'sat':
        'start': '1h'
        'end': '21h'

  To rollback this change, replace dns.blocked_services object with the list of ids of blocked services and change the schema_version back to 20.

Deprecated

• Flags -h, --host, -p, --port have been deprecated. The -h flag will work as an alias for --help, instead of the deprecated --host in the future releases.

Fixed

• Excessive error logging when using DNS-over-QUIC (#5285).

• Cannot set bind_host in AdGuardHome.yaml (docker version)(#4231, #4235).

• The blocklists can now be deleted properly (#5700).

• Queries with the question-section target ., for example NS ., are now counted in the statistics and correctly shown in the query log (#5910).

• Safe Search not working with AAAA queries for domains that don't have AAAA records (#5913).

AdGuard Home v0.108.0-b.37

Changes compared to the previous beta, v0.108.0-b.36. See CHANGELOG.md for all changes.

Full changelog

Fixed

• DNSCrypt upstream not resetting the client and resolver information on dialing errors (#5872).

AdGuard Home v0.107.32

A hotfix release to fix a major issue in the previous release.

Full changelog

Fixed

• DNSCrypt upstream not resetting the client and resolver information on dialing errors (#5872).

AdGuard Home v0.108.0-b.36

Changes compared to the previous beta, v0.108.0-b.35. See CHANGELOG.md for all changes.

Full changelog

Fixed

• Startup errors on OpenWrt (#5872).

• Plain-UDP upstreams always falling back to TCP, causing outages and slowdowns (#5873, #5874).

AdGuard Home v0.107.31

A hotfix release to fix two major issues in the previous release.

Full changelog

See also the v0.107.31 GitHub milestone.

Fixed

• Startup errors on OpenWrt (#5872).

• Plain-UDP upstreams always falling back to TCP, causing outages and slowdowns (#5873, #5874).

AdGuard Home v0.108.0-b.35

Changes compared to the previous beta, v0.108.0-b.34. See CHANGELOG.md for all changes.

Full changelog

Security

• Go version has been updated to prevent the possibility of exploiting the CVE-2023-29402, CVE-2023-29403, and CVE-2023-29404 Go vulnerabilities fixed in Go 1.19.10.

Added

• The ability to edit rewrite rules via PUT /control/rewrite/update HTTP API (#1577).

Fixed

• Unquoted IPv6 bind hosts with trailing colons erroneously considered unspecified addresses are now properly validated (#5752).

  NOTE: the Docker healthcheck script now also doesn't interpret the "" value as unspecified address.

• Incorrect Content-Type header value in POST /control/version.json and GET /control/dhcp/interfaces HTTP APIs (#5716).