v2.1.0 beta

What's Changed

• live release ready by @PenguinzTech in #22
• 2.0 by @PenguinzTech in #26

Squawk DNS System Release Notes

v2.1.0 - Enterprise Threat Intelligence and Multi-Tier Release

Release Date: August 2025
Release Type: Major Feature Release with Advanced Threat Intelligence and Enterprise Restructuring
Breaking Changes: Enterprise licensing model restructured (existing licenses remain valid)

🎉 What's New in v2.1.0

This major release introduces comprehensive threat intelligence capabilities and restructures our enterprise offerings to better serve different organizational needs. Key highlights include:

• 🛡️ Complete TAXII/STIX 2.1 Support: Full integration with enterprise threat intelligence platforms
• 🔍 OpenIOC Format Support: Enhanced parsing of industry-standard IOC formats
• 💰 New Enterprise Tiers: Self-Hosted ($5/user) and Cloud-Hosted ($7/user) options
• 🌐 Advanced Threat Intelligence: Unlimited feeds for enterprise customers
• ☁️ Cloud-Hosted Services: Managed infrastructure with 99.9% SLA
• 🔧 Enhanced Licensing: Granular feature control across all tiers

🛡️ Advanced Threat Intelligence Integration (NEW)

TAXII 2.x / STIX 2.1 Support

• TAXII 2.x Client: Full TAXII 2.x server integration with collection discovery and authentication
• STIX 2.1 Parser: Complete STIX 2.1 bundle parsing with support for indicators, malware, and cyber observables
• Authentication Support: Bearer token, Basic Auth, and API key authentication for TAXII servers
• Incremental Updates: Support for added_after timestamp filtering for efficient updates
• SSL Configuration: Configurable SSL verification for internal or testing TAXII servers
• Multi-Object Parsing: Extracts indicators from STIX Indicators, Malware descriptions, and Cyber Observable Objects

OpenIOC Format Support

• Enhanced OpenIOC Parser: Complete IOC XML parsing with network indicator extraction
• Context Awareness: Extracts IOC metadata including names, descriptions, and context types
• Network Indicator Focus: Prioritizes DNS/domain and IP indicators relevant to DNS blocking
• URL Extraction: Automatically extracts domains from URL indicators in OpenIOC files
• IP Range Support: Handles CIDR notation and IP ranges in OpenIOC indicators
• Metadata Preservation: Maintains OpenIOC context and attribution information

Community Threat Intelligence Feeds (FREE)

• 1 Feed Limit: Community users get access to one configurable threat intelligence feed
• Popular Feed Templates: Pre-configured templates for STIX, TAXII, and OpenIOC feeds
• Format Support: TXT, CSV, JSON, XML, STIX 2.1, OpenIOC, YARA, and Snort rule parsing
• Automatic Updates: Configurable update intervals (1-24 hours) with automatic feed refresh
• Real-time Blocking: Immediate DNS blocking of indicators from threat intelligence feeds

Enterprise Self-Hosted ($5/user/month)

• Unlimited Feeds: No limits on number of threat intelligence sources
• Admin Configuration Interface: Web-based threat feed management and configuration
• Advanced Parsing: Support for complex STIX relationships and advanced OpenIOC contexts
• Priority Processing: Enterprise feeds get processing priority and faster update cycles
• Self-Managed Infrastructure: Customer controls deployment and updates

Enterprise Cloud-Hosted ($7/user/month)

• All Self-Hosted Features: Complete enterprise feature set
• Managed Infrastructure: Penguin Technologies operates and maintains servers
• Custom Feed Development: Support for proprietary and custom threat intelligence formats
• Advanced Threat Intelligence Curation: Enhanced and curated threat feeds
• 99.9% SLA: Guaranteed uptime with redundant infrastructure
• Global CDN: Edge locations for optimal performance

🔧 Technical Implementation Details

TAXII 2.x Client Architecture

• Discovery Protocol: Automatic API root and collection discovery
• Robust Authentication: Support for multiple auth methods with fallback mechanisms
• Incremental Synchronization: Efficient updates using timestamps to reduce bandwidth
• Error Handling: Comprehensive retry logic with exponential backoff
• SSL/TLS Flexibility: Configurable certificate validation for enterprise environments

Enhanced IOC Processing Engine

• Multi-Format Parser: Unified parsing engine supporting 8+ threat intelligence formats
• Confidence Scoring: Intelligent confidence mapping from various feed formats
• Contextual Extraction: Preserves threat attribution and contextual information
• Performance Optimization: In-memory caching with database persistence
• Real-time Integration: Immediate DNS blocking without service restart

Database Schema Enhancements

-- New threat intelligence tables
ioc_feeds          -- Feed configurations and metadata
ioc_entries        -- Individual threat indicators
ioc_overrides      -- User/token specific overrides
ioc_stats          -- Performance and usage statistics

Environment Variables for Threat Intelligence

# Community Threat Intelligence (1 feed limit)
ENABLE_THREAT_INTEL=true
THREAT_FEED_UPDATE_HOURS=6
MAX_COMMUNITY_FEEDS=1

# Enterprise Threat Intelligence (unlimited)
ENABLE_ENTERPRISE_THREAT_INTEL=true
MAX_ENTERPRISE_FEEDS=unlimited
THREAT_INTEL_PRIORITY_PROCESSING=true

# TAXII Configuration
TAXII_SERVER_URL=https://taxii-server.com/taxii2/
TAXII_COLLECTION_ID=indicators
TAXII_AUTH_TYPE=bearer
TAXII_TOKEN=your-token-here
TAXII_VERIFY_SSL=true

# OpenIOC Configuration  
OPENIOC_EXTRACT_NETWORK=true
OPENIOC_EXTRACT_FILE=false
OPENIOC_CONFIDENCE_DEFAULT=75

💰 New Enterprise Pricing Structure

Squawk DNS now offers three distinct tiers to meet different organizational needs:

Community Edition (Free)

Perfect for individual users and small teams

• ✅ Basic DNS resolution and caching
• ✅ Standard DNS-over-HTTPS support
• ✅ mTLS authentication
• ✅ 1 threat intelligence feed
• ✅ Basic web console
• ✅ Community support via GitHub

Enterprise Self-Hosted ($5/user/month)

Ideal for organizations wanting control over their infrastructure

• ✅ All Community Features
• ✅ Unlimited threat intelligence feeds with advanced parsers
• ✅ Selective DNS routing with per-user/group access control
• ✅ Advanced token management and user authentication
• ✅ Multi-tenant architecture with organizational isolation
• ✅ SAML/LDAP/SSO integration for enterprise identity providers
• ✅ Priority DNS processing for faster response times
• ✅ Enhanced caching with advanced optimization
• ✅ Technical support with SLA guarantees
• ✅ Self-managed - customer controls infrastructure and updates

Enterprise Cloud-Hosted ($7/user/month)

Complete managed solution with enterprise-grade reliability

• ✅ All Self-Hosted Features
• ✅ Managed infrastructure operated by Penguin Technologies
• ✅ 99.9% SLA with redundant, fault-tolerant infrastructure
• ✅ Automatic updates with zero-downtime deployments
• ✅ 24/7 monitoring with proactive alerting and incident response
• ✅ Compliance reporting for SOC2, HIPAA, GDPR requirements
• ✅ Global CDN with edge locations for optimal worldwide performance
• ✅ Advanced threat intelligence curation with enhanced feed quality
• ✅ Custom integrations and dedicated development resources
• ✅ 24/7 dedicated support with guaranteed response times
• ✅ Priority processing - highest priority across all users

🎯 Choosing the Right Tier

Use Case	Recommended Tier	Why
Individual/Home	Community	Free, basic features sufficient
Small Business	Self-Hosted	Cost-effective, full enterprise features
Mid-size Company	Self-Hosted	Control infrastructure, reduced costs
Enterprise Corp	Cloud-Hosted	Managed service, SLA, compliance
Regulated Industry	Cloud-Hosted	Compliance reporting, audit trails
Global Organization	Cloud-Hosted	Multi-region, CDN performance

🔄 Migration Guide for v2.1.0

From v1.x to v2.1.0

Existing Enterprise Customers

• ✅ No Action Required: Existing enterprise licenses automatically map to appropriate tier
• ✅ Feature Continuity: All current features remain available
• ✅ Automatic Detection: System automatically detects and applies correct licensing tier
• 📧 Contact Sales: For cloud-hosted migration assistance

Community Users

• ✅ Seamless Upgrade: All existing functionality preserved
• 🆕 New Threat Intel: Can now configure 1 threat intelligence feed
• 📈 Upgrade Path: Clear options to Enterprise Self-Hosted or Cloud-Hosted

New Installations

• 🆕 Enhanced Setup: New licensing options during initial configuration
• 📚 Improved Documentation: Updated guides for all three tiers
• 🎯 Tier Selection: Built-in recommendations based on organization size and needs

License Mapping from v1.x

v1.x License	v2.1.0 Tier	Features	Action Required
Community	Community	Same + 1 threat feed	None
Enterprise	Self-Hosted	All features + unlimited threat intel	None
Custom/Enterprise+	Cloud-Hosted	Managed service + SLA	Contact sales for migration

Database Schema Updates

v2.1.0 includes automatic database migrations for:

• New threat intelligence tables (ioc_feeds, ioc_entries, ioc_overrides, ioc_stats)
• Enhanced licensing metadata
• Backward-compatible schema changes

**No manual database...

v1.1.2beta

Squawk DNS System Release Notes

v1.1.2 - Maintenance and Security Release

Release Date: August 2025
Release Type: Patch Release with CI/CD and Security Fixes
Breaking Changes: None (backward compatible)

🛠️ Build System & CI/CD Improvements

Build Standardization

• Python 3.13 Standardization: All Python components now use Python 3.13 across Docker, CI/CD, and documentation
• Go 1.23 Standardization: All Go components standardized on Go 1.23 with removed toolchain specifications
• Virtual Environment Isolation: Implemented proper virtual environments in all Docker containers to prevent system package conflicts
• Simplified Build Matrix: Removed complex matrix strategies for more reliable single-version builds

GitHub Actions Enhancements

• Separate Build Verification: Added dedicated build job that runs on both PRs and main branch pushes
• Security Tools Update: Updated to official github.com/securego/gosec repository (8,401+ stars, actively maintained)
• Docker Syntax Fixes: Fixed Docker build command syntax errors in CI/CD workflows
• LDAP Dependencies: Added comprehensive LDAP development packages for python-ldap compilation

🔐 Security Improvements

Go Security Enhancements

• Zero Security Issues: Resolved all 9 security issues found by gosec scanner
• Safe Integer Conversions: Added safeUint32() function to prevent integer overflow vulnerabilities
• File Permissions: Updated file permissions from 0644 to 0600 for sensitive configuration files
• Security Tool Standards: Documented security tools in CLAUDE.md to prevent future tool selection issues

Documentation Security

• Security Tools Standard: Added official security scanning tools to development guidelines
• Version Standards: Documented Go 1.23 and Python 3.13 standards to prevent version conflicts

🌐 Website & Documentation Fixes

Website Navigation

• Footer Links Fixed: Footer navigation links now properly appear as clickable links using inline styles
• Documentation Page URLs: Updated documentation page links to match MkDocs URL structure
• Bootstrap Compatibility: Resolved Bootstrap CSS conflicts with Next.js Link components

Documentation Structure

• MkDocs Integration: Properly configured for docs.squawkdns.com Cloudflare Pages deployment
• API Documentation: Enhanced API.md with comprehensive endpoint documentation
• URL Standardization: All documentation references now use consistent squawkdns.com domain

🧹 Code Quality & Maintenance

Development Environment

• Docker Build Reliability: Fixed multiple Docker build failures with proper dependency management
• Package Dependencies: Resolved missing system dependencies for LDAP and SSL libraries
• Testing Infrastructure: Enhanced test execution within Docker containers for environment parity

Configuration Management

• Environment Variable Documentation: Updated CLAUDE.md with complete configuration reference
• Build Documentation: Added clear build system standards to prevent future compatibility issues

🐛 Bug Fixes

• Docker Multi-stage Builds: Fixed target specification errors in GitHub workflows
• Python Package Conflicts: Resolved pip installation conflicts with --break-system-packages flag usage
• LDAP Compilation: Fixed python-ldap build failures by adding required development headers
• Version Compatibility: Resolved Go toolchain version mismatches causing build failures

📚 Documentation Updates

• CLAUDE.md Enhancements: Added Go version standards and security tools documentation
• API Documentation: Comprehensive API endpoint documentation with examples
• Build Standards: Documented Python 3.13 and Go 1.23 standardization decisions

🔄 Migration Notes

• Automatic: No manual intervention required for existing deployments
• CI/CD: GitHub workflows will automatically use new standards
• Docker: Existing containers will rebuild with improved dependency management

---

Squawk DNS System v1.1.1 Release Notes

Release Date: August 2025
Release Type: Major Feature Release with Critical Security Hotfixes
Breaking Changes: None (backward compatible)

🎉 Executive Summary

Squawk v1.1.1 represents a massive leap forward in DNS-over-HTTPS proxy technology, introducing a complete Go client implementation, comprehensive enterprise security features, and production-ready infrastructure. This release adds over 10,000 lines of new code, 28 new files, and transforms Squawk from a simple DNS proxy into a full-featured enterprise DNS security solution.

🔥 Critical Hotfixes in v1.1.1

Security Enhancements

1. DNS Loop Prevention: Added IP address validation to prevent infinite DNS resolution loops when using custom DNS servers
2. Multiple Server Failover: Implemented automatic failover with configurable retry logic for high availability
3. Enhanced DNS Validation: Strengthened input validation to prevent injection attacks and malformed queries
4. Public DNS Compatibility: Fixed compatibility issues with Google DNS and Cloudflare DNS-over-HTTPS services

Bug Fixes

1. URL Path Normalization: Auto-corrects paths for public DNS providers (/resolve vs /dns-query)
2. Certificate Validation: Fixed edge cases in mTLS certificate validation
3. Error Handling: Improved error messages and aggregation for multiple server failures
4. Configuration Loading: Fixed environment variable parsing for comma-delimited server lists

System Tray Enhancements (NEW)

1. Health Monitoring: Real-time DNS server health monitoring with visual indicators
2. Smart Notifications: Automatic alerts when DNS servers become unreachable
3. DNS Fallback: One-click fallback to original DHCP DNS servers for captive portals
4. Visual Health Status: Icon colors indicate server health (green=healthy, yellow=degraded, red=unhealthy)

🚀 Major New Features

1. Go Client Implementation (NEW)

Complete high-performance DNS client written in Go with 1:1 feature parity with Python client.

Performance Metrics:

• Cold Start: ~10ms (10x faster than Python)
• Memory Usage: ~15MB (50% reduction)
• Binary Size: Single ~10MB executable
• Concurrency: Native goroutine support

Key Features:

• Full DNS-over-HTTPS (DoH) support with HTTP/2
• mTLS authentication with ECC and RSA certificates
• Local DNS forwarding (UDP/TCP to DoH)
• YAML configuration file support
• Cross-platform binaries (Linux, macOS, Windows)
• Docker multi-architecture support

2. Enterprise Authentication & Security

Multi-Factor Authentication (MFA)

• TOTP Support: Google Authenticator compatible
• Backup Codes: Recovery mechanism for lost devices
• QR Code Generation: Easy setup for users
• Per-user Configuration: Flexible MFA requirements

Single Sign-On (SSO)

• SAML 2.0: Enterprise identity provider integration
• LDAP: Active Directory support
• OAuth2: Social login capabilities
• Session Management: Secure token handling

Advanced Certificate Management

• ECC Certificates: Default P-384 curve (more secure than RSA)
• Automatic Generation: Self-signed certificates for testing
• Certificate Bundle Downloads: Direct from web console
• Dual Authentication: Bearer token + client certificate
• CA Management: Custom certificate authorities

3. DNS Security & Filtering

DNS Blackholing

• Maravento Blacklist: Integration with 2M+ malicious domains
• Automatic Updates: Daily pulls from GitHub (configurable)
• Custom Blocklists: Admin-defined domain/IP blocking
• Whitelist Override: Exception management
• Real-time Updates: No restart required

Brute Force Protection

• Configurable Lockouts: Default 5 attempts, 30-minute block
• IP-based Tracking: Per-source IP monitoring
• Email Notifications: Alerts on security events
• Account Recovery: Admin unlock capabilities
• Audit Logging: Complete security event trail

4. Performance & Scalability

HTTP/3 Support

• QUIC Protocol: Next-generation transport
• Reduced Latency: Faster connection establishment
• Connection Migration: Seamless network changes
• Improved Reliability: Better packet loss handling

Advanced Caching

• Redis/Valkey Support: Distributed caching
• TLS Encryption: Secure cache communication
• Authentication: Password-protected cache access
• Configurable TTL: Per-record expiration
• Multi-backend: Automatic failover between cache systems

High-Performance Architecture

• Asyncio/Uvloop: Python server optimization
• Multi-threading: Thousands of requests per second
• Connection Pooling: Efficient resource usage
• Load Balancing: Round-robin server selection

5. Infrastructure & Operations

Cross-Platform System Integration

• Enhanced System Tray: Desktop GUI with health monitoring and DNS fallback
• Service Installation: systemd, launchd, Windows services
• DNS Configuration: Automatic system DNS updates with DHCP fallback
• Auto-start: Boot-time service activation
• Health Notifications: Real-time alerts for DNS server failures
• Captive Portal Support: Easy fallback to original DNS for hotel/airport WiFi

Comprehensive Logging

• Real IP Detection: REALIP/X-FORWARDED-FOR headers
• UDP Syslog: RFC 3164 compliant forwarding
• JSON Format: Structured logging support
• Security Events: Authentication and access logs
• Performance Metrics: Request timing and statistics

CI/CD Pipeline

• GitHub Actions: Automated build and release
• ...

v1.1.2alpha

Squawk DNS System Release Notes

v1.1.2 - Maintenance and Security Release

Release Date: August 2025
Release Type: Patch Release with CI/CD and Security Fixes
Breaking Changes: None (backward compatible)

🛠️ Build System & CI/CD Improvements

Build Standardization

• Python 3.13 Standardization: All Python components now use Python 3.13 across Docker, CI/CD, and documentation
• Go 1.23 Standardization: All Go components standardized on Go 1.23 with removed toolchain specifications
• Virtual Environment Isolation: Implemented proper virtual environments in all Docker containers to prevent system package conflicts
• Simplified Build Matrix: Removed complex matrix strategies for more reliable single-version builds

GitHub Actions Enhancements

• Separate Build Verification: Added dedicated build job that runs on both PRs and main branch pushes
• Security Tools Update: Updated to official github.com/securego/gosec repository (8,401+ stars, actively maintained)
• Docker Syntax Fixes: Fixed Docker build command syntax errors in CI/CD workflows
• LDAP Dependencies: Added comprehensive LDAP development packages for python-ldap compilation

🔐 Security Improvements

Go Security Enhancements

• Zero Security Issues: Resolved all 9 security issues found by gosec scanner
• Safe Integer Conversions: Added safeUint32() function to prevent integer overflow vulnerabilities
• File Permissions: Updated file permissions from 0644 to 0600 for sensitive configuration files
• Security Tool Standards: Documented security tools in CLAUDE.md to prevent future tool selection issues

Documentation Security

• Security Tools Standard: Added official security scanning tools to development guidelines
• Version Standards: Documented Go 1.23 and Python 3.13 standards to prevent version conflicts

🌐 Website & Documentation Fixes

Website Navigation

• Footer Links Fixed: Footer navigation links now properly appear as clickable links using inline styles
• Documentation Page URLs: Updated documentation page links to match MkDocs URL structure
• Bootstrap Compatibility: Resolved Bootstrap CSS conflicts with Next.js Link components

Documentation Structure

• MkDocs Integration: Properly configured for docs.squawkdns.com Cloudflare Pages deployment
• API Documentation: Enhanced API.md with comprehensive endpoint documentation
• URL Standardization: All documentation references now use consistent squawkdns.com domain

🧹 Code Quality & Maintenance

Development Environment

• Docker Build Reliability: Fixed multiple Docker build failures with proper dependency management
• Package Dependencies: Resolved missing system dependencies for LDAP and SSL libraries
• Testing Infrastructure: Enhanced test execution within Docker containers for environment parity

Configuration Management

• Environment Variable Documentation: Updated CLAUDE.md with complete configuration reference
• Build Documentation: Added clear build system standards to prevent future compatibility issues

🐛 Bug Fixes

• Docker Multi-stage Builds: Fixed target specification errors in GitHub workflows
• Python Package Conflicts: Resolved pip installation conflicts with --break-system-packages flag usage
• LDAP Compilation: Fixed python-ldap build failures by adding required development headers
• Version Compatibility: Resolved Go toolchain version mismatches causing build failures

📚 Documentation Updates

• CLAUDE.md Enhancements: Added Go version standards and security tools documentation
• API Documentation: Comprehensive API endpoint documentation with examples
• Build Standards: Documented Python 3.13 and Go 1.23 standardization decisions

🔄 Migration Notes

• Automatic: No manual intervention required for existing deployments
• CI/CD: GitHub workflows will automatically use new standards
• Docker: Existing containers will rebuild with improved dependency management

---

Squawk DNS System v1.1.1 Release Notes

Release Date: August 2025
Release Type: Major Feature Release with Critical Security Hotfixes
Breaking Changes: None (backward compatible)

🎉 Executive Summary

Squawk v1.1.1 represents a massive leap forward in DNS-over-HTTPS proxy technology, introducing a complete Go client implementation, comprehensive enterprise security features, and production-ready infrastructure. This release adds over 10,000 lines of new code, 28 new files, and transforms Squawk from a simple DNS proxy into a full-featured enterprise DNS security solution.

🔥 Critical Hotfixes in v1.1.1

Security Enhancements

1. DNS Loop Prevention: Added IP address validation to prevent infinite DNS resolution loops when using custom DNS servers
2. Multiple Server Failover: Implemented automatic failover with configurable retry logic for high availability
3. Enhanced DNS Validation: Strengthened input validation to prevent injection attacks and malformed queries
4. Public DNS Compatibility: Fixed compatibility issues with Google DNS and Cloudflare DNS-over-HTTPS services

Bug Fixes

1. URL Path Normalization: Auto-corrects paths for public DNS providers (/resolve vs /dns-query)
2. Certificate Validation: Fixed edge cases in mTLS certificate validation
3. Error Handling: Improved error messages and aggregation for multiple server failures
4. Configuration Loading: Fixed environment variable parsing for comma-delimited server lists

System Tray Enhancements (NEW)

1. Health Monitoring: Real-time DNS server health monitoring with visual indicators
2. Smart Notifications: Automatic alerts when DNS servers become unreachable
3. DNS Fallback: One-click fallback to original DHCP DNS servers for captive portals
4. Visual Health Status: Icon colors indicate server health (green=healthy, yellow=degraded, red=unhealthy)

🚀 Major New Features

1. Go Client Implementation (NEW)

Complete high-performance DNS client written in Go with 1:1 feature parity with Python client.

Performance Metrics:

• Cold Start: ~10ms (10x faster than Python)
• Memory Usage: ~15MB (50% reduction)
• Binary Size: Single ~10MB executable
• Concurrency: Native goroutine support

Key Features:

• Full DNS-over-HTTPS (DoH) support with HTTP/2
• mTLS authentication with ECC and RSA certificates
• Local DNS forwarding (UDP/TCP to DoH)
• YAML configuration file support
• Cross-platform binaries (Linux, macOS, Windows)
• Docker multi-architecture support

2. Enterprise Authentication & Security

Multi-Factor Authentication (MFA)

• TOTP Support: Google Authenticator compatible
• Backup Codes: Recovery mechanism for lost devices
• QR Code Generation: Easy setup for users
• Per-user Configuration: Flexible MFA requirements

Single Sign-On (SSO)

• SAML 2.0: Enterprise identity provider integration
• LDAP: Active Directory support
• OAuth2: Social login capabilities
• Session Management: Secure token handling

Advanced Certificate Management

• ECC Certificates: Default P-384 curve (more secure than RSA)
• Automatic Generation: Self-signed certificates for testing
• Certificate Bundle Downloads: Direct from web console
• Dual Authentication: Bearer token + client certificate
• CA Management: Custom certificate authorities

3. DNS Security & Filtering

DNS Blackholing

• Maravento Blacklist: Integration with 2M+ malicious domains
• Automatic Updates: Daily pulls from GitHub (configurable)
• Custom Blocklists: Admin-defined domain/IP blocking
• Whitelist Override: Exception management
• Real-time Updates: No restart required

Brute Force Protection

• Configurable Lockouts: Default 5 attempts, 30-minute block
• IP-based Tracking: Per-source IP monitoring
• Email Notifications: Alerts on security events
• Account Recovery: Admin unlock capabilities
• Audit Logging: Complete security event trail

4. Performance & Scalability

HTTP/3 Support

• QUIC Protocol: Next-generation transport
• Reduced Latency: Faster connection establishment
• Connection Migration: Seamless network changes
• Improved Reliability: Better packet loss handling

Advanced Caching

• Redis/Valkey Support: Distributed caching
• TLS Encryption: Secure cache communication
• Authentication: Password-protected cache access
• Configurable TTL: Per-record expiration
• Multi-backend: Automatic failover between cache systems

High-Performance Architecture

• Asyncio/Uvloop: Python server optimization
• Multi-threading: Thousands of requests per second
• Connection Pooling: Efficient resource usage
• Load Balancing: Round-robin server selection

5. Infrastructure & Operations

Cross-Platform System Integration

• Enhanced System Tray: Desktop GUI with health monitoring and DNS fallback
• Service Installation: systemd, launchd, Windows services
• DNS Configuration: Automatic system DNS updates with DHCP fallback
• Auto-start: Boot-time service activation
• Health Notifications: Real-time alerts for DNS server failures
• Captive Portal Support: Easy fallback to original DNS for hotel/airport WiFi

Comprehensive Logging

• Real IP Detection: REALIP/X-FORWARDED-FOR headers
• UDP Syslog: RFC 3164 compliant forwarding
• JSON Format: Structured logging support
• Security Events: Authentication and access logs
• Performance Metrics: Request timing and statistics

CI/CD Pipeline

• GitHub Actions: Automated build and release
• ...

v1.1.1alpha

Squawk DNS System v1.1.1 Release Notes

Release Date: August 2025
Release Type: Major Feature Release with Critical Security Hotfixes
Breaking Changes: None (backward compatible)

🎉 Executive Summary

Squawk v1.1.1 represents a massive leap forward in DNS-over-HTTPS proxy technology, introducing a complete Go client implementation, comprehensive enterprise security features, and production-ready infrastructure. This release adds over 10,000 lines of new code, 28 new files, and transforms Squawk from a simple DNS proxy into a full-featured enterprise DNS security solution.

🔥 Critical Hotfixes in v1.1.1

Security Enhancements

1. DNS Loop Prevention: Added IP address validation to prevent infinite DNS resolution loops when using custom DNS servers
2. Multiple Server Failover: Implemented automatic failover with configurable retry logic for high availability
3. Enhanced DNS Validation: Strengthened input validation to prevent injection attacks and malformed queries
4. Public DNS Compatibility: Fixed compatibility issues with Google DNS and Cloudflare DNS-over-HTTPS services

Bug Fixes

1. URL Path Normalization: Auto-corrects paths for public DNS providers (/resolve vs /dns-query)
2. Certificate Validation: Fixed edge cases in mTLS certificate validation
3. Error Handling: Improved error messages and aggregation for multiple server failures
4. Configuration Loading: Fixed environment variable parsing for comma-delimited server lists

System Tray Enhancements (NEW)

1. Health Monitoring: Real-time DNS server health monitoring with visual indicators
2. Smart Notifications: Automatic alerts when DNS servers become unreachable
3. DNS Fallback: One-click fallback to original DHCP DNS servers for captive portals
4. Visual Health Status: Icon colors indicate server health (green=healthy, yellow=degraded, red=unhealthy)

🚀 Major New Features

1. Go Client Implementation (NEW)

Complete high-performance DNS client written in Go with 1:1 feature parity with Python client.

Performance Metrics:

• Cold Start: ~10ms (10x faster than Python)
• Memory Usage: ~15MB (50% reduction)
• Binary Size: Single ~10MB executable
• Concurrency: Native goroutine support

Key Features:

• Full DNS-over-HTTPS (DoH) support with HTTP/2
• mTLS authentication with ECC and RSA certificates
• Local DNS forwarding (UDP/TCP to DoH)
• YAML configuration file support
• Cross-platform binaries (Linux, macOS, Windows)
• Docker multi-architecture support

2. Enterprise Authentication & Security

Multi-Factor Authentication (MFA)

• TOTP Support: Google Authenticator compatible
• Backup Codes: Recovery mechanism for lost devices
• QR Code Generation: Easy setup for users
• Per-user Configuration: Flexible MFA requirements

Single Sign-On (SSO)

• SAML 2.0: Enterprise identity provider integration
• LDAP: Active Directory support
• OAuth2: Social login capabilities
• Session Management: Secure token handling

Advanced Certificate Management

• ECC Certificates: Default P-384 curve (more secure than RSA)
• Automatic Generation: Self-signed certificates for testing
• Certificate Bundle Downloads: Direct from web console
• Dual Authentication: Bearer token + client certificate
• CA Management: Custom certificate authorities

3. DNS Security & Filtering

DNS Blackholing

• Maravento Blacklist: Integration with 2M+ malicious domains
• Automatic Updates: Daily pulls from GitHub (configurable)
• Custom Blocklists: Admin-defined domain/IP blocking
• Whitelist Override: Exception management
• Real-time Updates: No restart required

Brute Force Protection

• Configurable Lockouts: Default 5 attempts, 30-minute block
• IP-based Tracking: Per-source IP monitoring
• Email Notifications: Alerts on security events
• Account Recovery: Admin unlock capabilities
• Audit Logging: Complete security event trail

4. Performance & Scalability

HTTP/3 Support

• QUIC Protocol: Next-generation transport
• Reduced Latency: Faster connection establishment
• Connection Migration: Seamless network changes
• Improved Reliability: Better packet loss handling

Advanced Caching

• Redis/Valkey Support: Distributed caching
• TLS Encryption: Secure cache communication
• Authentication: Password-protected cache access
• Configurable TTL: Per-record expiration
• Multi-backend: Automatic failover between cache systems

High-Performance Architecture

• Asyncio/Uvloop: Python server optimization
• Multi-threading: Thousands of requests per second
• Connection Pooling: Efficient resource usage
• Load Balancing: Round-robin server selection

5. Infrastructure & Operations

Cross-Platform System Integration

• Enhanced System Tray: Desktop GUI with health monitoring and DNS fallback
• Service Installation: systemd, launchd, Windows services
• DNS Configuration: Automatic system DNS updates with DHCP fallback
• Auto-start: Boot-time service activation
• Health Notifications: Real-time alerts for DNS server failures
• Captive Portal Support: Easy fallback to original DNS for hotel/airport WiFi

Comprehensive Logging

• Real IP Detection: REALIP/X-FORWARDED-FOR headers
• UDP Syslog: RFC 3164 compliant forwarding
• JSON Format: Structured logging support
• Security Events: Authentication and access logs
• Performance Metrics: Request timing and statistics

CI/CD Pipeline

• GitHub Actions: Automated build and release
• Multi-platform Builds: Native binaries for all OS
• Docker Images: Multi-architecture containers
• Debian Packages: .deb with systemd integration
• Separate Workflows: Client and server releases

6. Enhanced DNS Client Features

Multiple Server Failover (NEW)

• Automatic Failover: Seamless server switching
• Round-robin Selection: Load distribution
• Configurable Retries: Custom retry logic
• Error Aggregation: Comprehensive failure reporting
• Health Monitoring: Server availability tracking

DNS Loop Prevention (NEW)

• IP Address Validation: Enforces IP usage for custom servers
• Public DNS Exceptions: Allows known providers by hostname
• Smart Warnings: Context-aware notifications
• Development Mode: Localhost exemption

DNS Name Validation (NEW)

• RFC 1035 Compliance: Strict DNS name validation on both client and server
• Label Validation: Max 63 chars per label, 253 total, proper format
• Character Filtering: Prevents injection attacks and malformed queries
• IDN Support: Punycode (xn--) domain handling for internationalized domains
• Record Type Validation: Only valid DNS types (A, AAAA, CNAME, MX, etc.)
• Special Cases: Handles .arpa reverse DNS and IPv4 addresses
• Security: Blocks special characters and SQL injection attempts
• Consistent Validation: Same rules applied across Go, Python, and server

Legacy Public DNS Support (NEW)

• Google DNS: Both dns.google and dns.google.com
• Cloudflare: 1.1.1.1 and cloudflare-dns.com
• Auto-path Correction: /resolve vs /dns-query
• Transparent Compatibility: No configuration needed

📊 Technical Improvements

Web Console Enhancements

• Modern UI: Responsive Bootstrap 5 design
• Certificate Management: Download mTLS bundles
• User Management: Role-based access control
• Domain Management: Blacklist/whitelist interface
• Real-time Monitoring: Live statistics dashboard
• Token Management: API key generation
• Security Settings: MFA, SSO, brute force configuration

Database & Storage

• Multi-database Support: SQLite, PostgreSQL, MySQL
• Migration Scripts: Automatic schema updates
• Connection Pooling: Efficient database usage
• Transaction Management: ACID compliance

Testing & Quality

• Comprehensive Test Suites: 2000+ test cases
• Security Scanning: Bandit, gosec integration
• Load Testing: k6 performance tests
• Code Coverage: 80%+ coverage target
• Linting: flake8, golangci-lint

Documentation

• API Documentation: 1300+ lines of OpenAPI specs
• Architecture Guide: 800+ lines of system design
• Development Guide: 1500+ lines of setup instructions
• Token Management: Complete authentication guide
• Contributing Guide: Expanded from 100 to 700+ lines

🔧 Configuration & Environment

New Environment Variables

# Multiple Server Support
SQUAWK_SERVER_URLS=https://192.168.1.100:8443,https://192.168.1.101:8443
SQUAWK_MAX_RETRIES=6
SQUAWK_RETRY_DELAY=2

# Security Features
ENABLE_MFA=true
ENABLE_SSO=true
BRUTE_FORCE_MAX_ATTEMPTS=5
BRUTE_FORCE_LOCKOUT_MINUTES=30

# Redis/Valkey Security
REDIS_USE_TLS=true
REDIS_USERNAME=squawk
REDIS_PASSWORD=secure-password

# Blacklist Management
ENABLE_BLACKLIST=true
MARAVENTO_URL=https://github.com/maravento/blackweb
BLACKLIST_UPDATE_DAILY=true

# mTLS Configuration
ENABLE_MTLS=true
USE_ECC_CERTIFICATES=true
ECC_CURVE=P-384

Docker Compose Enhancements

• Development, production, and testing configurations
• PostgreSQL integration
• Monitoring stack (Prometheus/Grafana)
• Load testing integration
• Health checks and dependencies

🚨 Breaking Changes

None - All changes are backward compatible. Existing configurations will continue to work.

🔐 Security Considerations

Required Actions for Production

1. Enable mTLS: Use ECC certificates for maximum security
2. Configure MFA: Require for all admin accounts
3. Set up Redis TLS: Encrypt cache communications
   4....

v1.1.0alpha

Full Changelog: v1.0.0...v1.1.0alpha

🚀 Squawk DNS System v1.1.0 Alpha Release Notes

📋 Major New Features

🔥 Go Client Implementation (NEW)

• Complete Go rewrite of DNS client with 1:1 feature parity
• High performance: ~10ms cold start vs ~100ms Python
• Memory efficient: ~15MB vs ~30MB Python client
• Cross-platform: Linux (AMD64/ARM64), macOS (Universal), Windows
• Native binaries: Single executable with no dependencies
• Docker support: Multi-architecture container images

🖥️ System Tray Application (NEW)

• Cross-platform desktop app with system tray icon
• Start/stop DNS services from GUI
• Real-time status indicators
• Settings management through UI

🏢 Enterprise Security Features

🔐 Advanced Authentication

• Multi-Factor Authentication (MFA) with Google Authenticator TOTP
• Single Sign-On (SSO) support: SAML, LDAP, OAuth2
• Brute force protection with configurable lockouts (5 attempts, 30 min default)
• Email notifications for security events via SMTP/sendmail

🛡️ mTLS Certificate Management

• Automatic ECC certificate generation (P-384 curve default)
• Dual authentication: Bearer token + client certificate
• Certificate bundle downloads from web console
• CA certificate validation with custom CAs

⚡ Performance & Scalability

🚄 HTTP/3 Support

• HTTP/3 protocol implementation for cutting-edge performance
• Async/await architecture for high concurrency
• Multi-threading support for thousands of requests per second
• Connection pooling and optimization

💾 Advanced Caching

• Redis/Valkey integration with TLS authentication
• Configurable TTL and cache expiration policies
• Security warnings for insecure cache configurations
• Automatic failover between cache backends

🚫 DNS Security & Filtering

🔒 DNS Blackholing

• Maravento blacklist integration with automatic daily updates
• Custom domain/IP blocking via admin portal
• Real-time blacklist updates from GitHub sources
• Whitelist override capabilities

📊 Comprehensive Logging

• Real client IP detection via REALIP/X-FORWARDED-FOR headers
• UDP syslog forwarding with RFC 3164 compliance
• JSON and text logging formats
• Security event auditing

🛠️ Infrastructure & DevOps

📦 Cross-Platform Installer

• Automated system service installation (systemd, launchd, Windows services)
• DNS configuration management with system integration
• Service management and auto-start capabilities

🐳 Enhanced Docker Support

• Multi-stage builds for optimized containers
• Development, production, and testing image variants
• PostgreSQL integration with docker-compose
• Health checks and monitoring hooks

⚙️ CI/CD Pipeline

• GitHub Actions workflows for automated builds
• Multi-platform releases: Native binaries, Docker images, Debian packages
• Separate client/server release cycles
• Comprehensive testing and security scanning

🔧 Technical Improvements

🖼️ Web Console Enhancements

• Modern responsive UI with comprehensive admin features
• Certificate management interface for mTLS
• Blacklist management with bulk operations
• User management with role-based access control
• Real-time monitoring dashboard

📝 Configuration Management

• Environment variable configuration for all settings
• YAML configuration files with validation
• Secure defaults with production warnings
• Legacy compatibility for existing deployments

🧪 Testing & Quality

• Comprehensive test suites for Python and Go components
• Security scanning with bandit and gosec
• Load testing with k6 integration
• Code coverage reporting and quality metrics

📊 Platform Support Matrix

Platform	Go Client	Python Client	Server	Docker
Linux AMD64	✅ Native + .deb	✅	✅	✅
Linux ARM64	✅ Native + .deb	✅	✅	✅
macOS Intel	✅ Universal	✅	✅	✅
macOS Apple Silicon	✅ Universal	✅	✅	✅
Windows AMD64	✅ Native	✅	✅	✅

🚀 Performance Benchmarks

Metric	Python Client	Go Client	Improvement
Cold Start	~100ms	~10ms	10x faster
Memory Usage	~30MB	~15MB	50% less
Binary Size	Python + deps	~10MB	Standalone
Concurrent Requests	Limited	Native goroutines	Unlimited

🔒 Security Enhancements

• ECC cryptography for modern certificate security
• Configurable security levels for development vs production
• Automatic security warnings for insecure configurations
• TLS 1.3 support with cipher suite hardening
• Input validation and sanitization throughout
• Rate limiting and DDoS protection mechanisms

📚 Documentation & Examples

• Comprehensive README files for all components
• Docker Compose examples for various deployment scenarios
• Configuration templates and best practices
• API documentation with OpenAPI specs
• Troubleshooting guides and FAQ

🎯 Release Artifacts

Go Client

• Native binaries for all platforms
• Debian/Ubuntu packages with systemd integration
• Docker images (multi-arch)
• Universal macOS binary

Python Server

• Docker images (development, production, testing)
• Complete source code with dependencies
• Database migration scripts
• Configuration templates

---

Note: This is an alpha release intended for testing and feedback. Please report issues via GitHub Issues.

Upgrade Path: Clean installation recommended. Backup existing configurations before upgrading.

v1.0.0

Initial DOH Client and Server for Squawk DOH.
Full Changelog: https://github.com/PenguinCloud/Squawk/commits/v1.0.0