Pro Custodibus Agent 1.7.0 Added ----- * Additional helper scripts for Windows. Changed ------- * Use external DNS resolver by default (see below). * Apply packet mark (aka fwmark) to agent connections on Linux when wg-quick will use the mark to override the default gateway (see below). * Installer automatically installs wireguard-tools package. New DNS Settings ---------------- Previously, the agent would use the host operating system's own DNS resolver. Now, by default, the agent will use the [Quad9](https://www.quad9.net/) resolvers via DoH (DNS over HTTPS) to resolve the IP address of the Pro Custodibus API, as well as any WireGuard endpoint addresses specified by DNS name. This is particularly useful when a WireGuard interface is itself used for the host's default route, to ensure that the agent can resolve the IP address needed to connect to the API even when the WireGuard tunnel is not working. To revert to the previous behavior, and use the host operating system's DNS resolver, add the following setting to the procustodibus.conf file: Dns = off To use a custom DoH resolver (such as [Cloudflare's](https://1.1.1.1/dns/)), add the following settings to the procustodibus.conf file, customizing the `Dns` setting to specify the DNS servers to contact, and the `Doh` setting to specify the hostname that the servers' TLS certificate must match: Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001 Doh = cloudflare-dns.com To use a custom UDP resolver, add the following settings to the procustodibus.conf file, customizing the `Dns` setting to specify the DNS servers to contact: Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001 DnsProtocol = udp To use a custom TCP resolver, add the following settings to the procustodibus.conf file, customizing the `Dns` setting to specify the DNS servers to contact: Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001 DnsProtocol = tcp The agent will automatically attempt to detect whether to use IPv4 or IPv6 addresses. To force the agent to always prefer IPv4 addresses, add the following setting to the procustodibus.conf file: ResolveHostnames = ipv4 To force the agent to always prefer IPv6 addresses, add the following setting to the procustodibus.conf file: ResolveHostnames = ipv6 New FwMark Setting ------------------ When a network mask of `/0` (aka the default route) is used on Linux for the `AllowedIPs` setting of a WireGuard peer, WireGuard`s `wg-quick` helper script will set up some policy routing rules to ensure that the WireGuard interface's own traffic is not recursively routed through the interface's tunnel; these rules rely on the interface emitting packets with a specific mark (configurable via the `FwMark` setting on the interface). Now when the agent detects this scenario, it will also mark its own packets with the same mark, ensuring that its connections to the Pro Custodibus API (and the agent's DNS resolver) do not go through the WireGuard tunnel (and so the agent will still work even if the tunnel does not). To prevent the agent from doing this, add the following setting to the procustodibus.conf file: FwMark = off To force the agent to always mark its packets with a specific mark (such as 123), add the following setting to the procustodibus.conf file: FwMark = 123