2.0.32

• On certificate errors, the server name is now logged instead of the provider name, which is generally more useful.
• IP addresses for DoH servers that require DNS lookups are now cached for at least 12 hours.
• ignore_system_dns is now set to true by default.
• A workaround for a bug in Cisco servers has been implemented.
• A corrupted or incomplete resolvers list is now ignored, keeping the last good known cached list until the next update. In addition, logging was improved and unit tests were also added. Awesome contribution from William Elwood, thanks!
• On Windows, the network probe immediately returned instead of blocking if netprobe_timeout was set to -1. This has been fixed.
• Expired cached IP addresses now have a grace period, to avoid breaking the service if they temporarily can't be refreshed.
• On Windows, the service now returns immediately, solving a long-standing issue when initialization took more than 30 seconds ("The service did not respond to the start or control request in a timely fashion"). Fantastic work by Alison Winters, thanks!
• The SERVER_ERROR error code has been split into two new error codes: NETWORK_ERROR (self-explanatory) and SERVFAIL (a response was returned, but it includes a SERVFAIL error code).
• Responses are now always compressed.

2.0.31

• This version fixes two regressions introduced in version 2.0.29: DoH server couldn't be reached over IPv6 any more, and the proxy couldn't be interrupted while servers were being benchmarked.

2.0.30

• This version fixes a startup issue introduced in version 2.0.29, on systems for which the service cannot be automatically installed (such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam, and fixed by Will Elwood, thanks!

2.0.29

• Support for Anonymized DNS has been added!
• Wait before stopping, fixing an issue with Unbound (thanks to Vladimir Bauer)
• DNS stamps are now included in the -list-all -json ouptut
• The netprobe_timeout setting from the configuration file or command-line was ignored. This has been fixed.
• The TTL or cloaked entries can now be adjusted (thanks to Markus Linnala)
• Cached IP address from DoH servers now expire (thanks to Markus Linnala)
• DNSCrypt certificates can be fetched over Tor and SOCKS proxies
• Retries over TCP are faster
• Improved logging (thanks to Alison Winters)
• Ignore non-TXT records in certificate responses (thanks to Vladimir Bauer)
• A lot of internal cleanups, thanks to Markus Linnala

2.0.29-beta.3

• Improved logging
• Added a workaround for DNS servers using a non-standard provider name.

2.0.29-beta.2

• Support for Anonymized DNSCrypt has been added.
• Latency with large responses has actually been reduced.
• DNSCrypt certificates can now be retrieved over Tor, proxies, and DNS relays.
• Improved server error reporting (thanks to Alison Winters)
• Quite a lot of internal improvements and bug fixes have been made, thanks to Markus Linnala.

2.0.29-beta.1

Preliminary support for anonymized DNS is here!

2.0.28

• Invalid server entries are now skipped instead of preventing a source from being used. Thanks to Alison Winters for the contribution!
• Truncated responses are immediately retried over TCP instead of waiting for the client to retry. This reduces the latency for large responses.
• Responses sent to the local network are assumed to support at least 1252 bytes packets, and use optional information from EDNS up to 4096 bytes. This also reduces latency.
• Logging improvements: servers are not logged for cached, synthetic and cloaked responses. And the forwarder is logged instead of the regular server for forwarded responses.

2.0.27

• Version 2.0.27

• The X25519 implementation was changed from using the Go standard implementation to using Cloudflare's CIRCL library. Unfortunately, CIRCL appears to be broken on big-endian systems. That change has been reverted.
• All the dependencies have been updated.

2.0.26

• A new plugin was added to prevent Firefox from bypassing the system DNS settings.
• New configuration parameter to set how to respond to blocked queries: blocked_query_response. Responses can now be empty record sets, REFUSED response codes, or predefined IPv4 and/or IPv6 addresses.
• The refused_code_in_responses and blocked_query_response options have been folded into a new blocked_query_response option.
• The fallback resolver is now accessed using TCP if force_tcp has been set to true.
• CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
• New command-line option: -show-certs to print DoH certificate hashes.
• Solaris packages are now provided.
• DoH servers on a non-standard port, with stamps that don't include IP addresses, and without working system resolvers can now be properly bootstrapped.
• A new option, query_meta, is now available to add optional records to client queries.