1.14.0-alpha.21

📝 Release Notes

• Allow customizing TUN DNS mode and hijack interface DNS by default 1
• Add mDNS DNS server 2
• Add preferred_by DNS rule item 3
• Add neighbor-based hostname resolution for the local DNS server 4
• Update NaiveProxy to 148.0.7778.96-1
• Add more TLS spoof methods and route rule action support 5
• Fixes and improvements

1:

Adds dns_mode and dns_address on the TUN inbound. The default hijack mode now sets the platform's native interface DNS (systemd-resolved on Linux, per-interface DNS on Windows and Apple) and installs platform-level DNS hijacking (an iproute2 rule on Linux, nftables DNAT when auto_redirect is enabled, WFP filters on Windows when strict_route is enabled). Earlier versions did not touch the interface DNS or the platform firewall.

2:

The new mDNS DNS server sends queries via multicast on the local network. The default local DNS server also routes queries for *.local. and IPv4/IPv6 link-local reverse zones via mDNS on non-Apple platforms (and via the system resolver on Apple), so an explicit mdns server is only needed to reference it from preferred_by or to use it standalone.

3:

The new preferred_by DNS rule item matches domains that the listed DNS servers consider their preferred names. Supported server types are hosts, local, mdns, tailscale, and resolved. The Tailscale, Hosts and Resolved example pages have been updated to use this rule item in place of the previous evaluate + ip_accept_any + respond pattern.

4:

Adds neighbor_domain on the local DNS server. Listed suffixes (each starting with .) cause A/AAAA queries for single-label hosts under those suffixes to be answered from the neighbor resolver instead of the upstream (for example [".", ".lan"]).

5:

Adds wrong-ack, wrong-md5, and wrong-timestamp spoof methods, and adds tls_spoof / tls_spoof_method to route rule actions for per-rule TLS spoofing without outbound TLS settings.

1.14.0-alpha.20

📝 Release Notes

• Fixes and improvements

1.14.0-alpha.19

📝 Release Notes

• Preserve comments between formatting
• Add cipher, MAC, and key exchange algorithm options for SSH outbound 1
• Add DNS query timeout options 2
• Fixes and improvements

1:

See SSH.

2:

Adds dns.timeout, with per-query overrides via DNS rule action and resolve route rule action, and a timeout field on domain_resolver.

1.14.0-alpha.18

📝 Release Notes

• Add Windows TLS engine 1
• Fixes and improvements

1:

The new windows value for outbound TLS engine routes the TLS handshake through Schannel via SSPI. Only available on Windows build 17763 or later (Windows 10 version 1809, Windows Server 2019, or newer); TLS 1.3 is only negotiated on Windows 11 or Windows Server 2022 and newer.

1.14.0-alpha.17

📝 Release Notes

• Fixes and improvements

1.14.0-alpha.16

📝 Release Notes

• Add ACME profile support for IP address certificates 1
• Fixes and improvements

1:

See ACME Certificate Provider.

1.13.11

📝 Release Notes

• Fix process searcher failure introduced in 1.13.9
• Fixes and improvements

1.13.10

📝 Release Notes

• Fix process searcher failure introduced in 1.13.9

1.14.0-alpha.15

📝 Release Notes

• Add search domain support for Tailscale DNS 1
• Fixes and improvements

1:

See Tailscale DNS Server.

1.13.9

📝 Release Notes

• Fixes and improvements