2.0.41

• Precompiled ARM binaries are compatible with armv5 CPUs. The default arm builds were not compatible with older CPUs when compiled with Go 1.14. mips64 binaries are explicitly compiled with softfloat to improve compatibility.
• Quad9 seems to be only blocking fragmented queries over UDP for some networks. They have been removed from the default list of broken resolvers; runtime detection of support for fragments should now do the job.
• Runtime detection of support for fragments was actually enabled.

2.0.40

• Servers blocking fragmented queries are now automatically detected.
• The server name is now only present in query logs when an actual upstream servers was required to resolve a query.
• TLS client authentication has been added for DoH.
• The Firefox plugin is now skipped for connections coming from the local DoH server.
• DoH RTT computation is now more accurate, especially when CDNs are in the middle.
• The forwarding plugin is now more reliable, and handles retries over TCP.

2.0.39

• The Firefox Local DoH service didn't properly work in version 2.0.38;
  this has been fixed. Thanks to Simon Brand for the report!

2.0.38

• Entries from lists (forwarding, blacklists, whitelists) now support inline comments.
• Reliability improvement: queries over UDP are retried after a timeout instead of solely relying on the client.
• Reliability improvement: during temporary network outages, cached records are now served even if they are stale.
• Bug fix: SOCKS proxies and DNS relays can be combined.
• New feature: multiple fallback resolvers are now supported (see the new fallback_resolvers option. Note that fallback_resolver is still supported for backward compatibility).
• Windows: the service can be installed with a configuration file stored separately from the application.
• Security (affecting DoH): precompiled binaries of dnscrypt-proxy 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing issue present in previous versions of the compiler.

2.0.36

• New option: block_undelegated. When enabled, dnscrypt-proxy will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.
• Conformance: the DO bit is now set in synthetic responses if it was set in a question, and the AD bit is cleared.
• The miegkg/dns module was updated to version 1.1.26, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy, this only affects the forwarding feature.

2.0.36-beta.1

• New option: block_undelegated. When enabled, dnscrypt-proxy will directly respond to queries for locally-served zones (https://sk.tl/2QqB971U) and nonexistent zones that should have been kept local, but are frequently leaked. This reduces latency and improves privacy.
• Conformance: the DO bit is now set in synthetic responses if it was set in a question, and the AD bit is cleared.
• The miegkg/dns module was updated to version 1.1.25, that fixes a security issue affecting non-encrypted/non-authenticated DNS traffic. In dnscrypt-proxy, this only affects the forwarding feature.

There have also been quite a bit of internal changes, so please report any possible regression!

2.0.35

• New option: block_unqualified to block A/AAAA queries with unqualified host names. These will very rarely get an answer from upstream resolvers, but can leak private information to these, as well as to root servers.
• When a CNAME pointer is blocked, the original query name is now logged along with the pointer. This makes it easier to know what the original query name, so it can be whitelisted, or what the pointer was, so it can be removed from the blacklist.

2.0.34

• Blacklisted names are now also blocked if they appear in CNAME pointers.
• dnscrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.

2.0.34-beta.1

• Blacklisted names are now also blocked if they appear in CNAME pointers.
• dnscrypt-proxy can now act as a local DoH server. Firefox can be configured to use it, so that ESNI can be enabled without bypassing your DNS proxy.

2.0.33

Fixes an issue that caused some valid queries to return PARSE_ERROR.