25.05.001 changelog

25.05.001

Released on 20 May, 2025.

Client

Fixes

  • Flush the system-wide DNS cache after the DNS block list changes
  • Fix the entrypoint dialog so clicking “Connect” works, in addition to pressing Enter on the text field.
  • Fix a hang when setting the entrypoint in the configure dialog after a fresh install.
  • Log errors gracefully when setting the tray icon.
  • A compatibility mode has been added to allow docker containers in Linux to access private DNS.
  • MacOS: A bug in Bowtie versions 25.02.001 through 25.03.003 has been fixed. Bowtie networks stopped working when the default route moves to another interface, such as when switching between Wi-Fi and Ethernet.
  • In previous versions, the DNS filters may not have been available at client start. This has been corrected.
  • Windows: A bug was found and fixed in the system that monitors the health of the Bowtie DNS system. This bug was introduced in 24.11.001 and fixed in 24.05.001.

Features

  • A new setting is introduced for auditing client DNS events. Device config key dns-audit-level can be set to values “errors-only”, “blocked-queries”, “all-queries”, or “all-queries-all-answers” to log DNS queries and answers to a specified location on clients. The logs are written as JSONL following Elastic Common Schema.

    dns-audit-level is dynamic, it reloads on each DNS request. log-directory is not dynamic and takes effect only on client startup.

  • Private nameserver lookups have improved performance. Additionally, there is a new DNS flag to shape behavior for upstream name servers. Lower timeouts can improve user experience for many cases so the default has been lowered. Additional changes to defaults may come as we collect more data in our environments.
    • private-upstream-timeout-ms: This was previously set at 5s and was not configurable. It has been reduced to 1.75s for the default.
  • DNS audit logging now works on both Linux and Windows.

    This adds the setting dns_audit_log_directory. On Windows this defaults to a path under C:\ProgramData\Bowtie\log, on Linux this defaults to a path under /var/log/bowtie. This setting is only read at startup, it does not reload at runtime.

  • Enable DNS audit logging on macOS.
  • The configuration flag ui-network-status is added to control the network status line in the tray application, and is enabled by default.
  • There is a new line in the tray menu reflecting network status. If this status line reports failure, it means the Internet access is unavailable.
  • Support bundle packages now record the date and time they were collected.

Server

Fixes

  • During database maintenance, a defect where device groups may be lost between versions 2025.01.001 and 2025.03.003 has been resolved.
  • Cross Site DNS regressed in 25.03.003 clients with 25.03.003 controllers for some installations. A fix for these environments has been applied at the controller.
  • Previously client configuration specific to user groups could be applied to accepted devices which were not yet associated to users. This has been resolved.
  • In 25.03.003 an issue was observed where the DNS server on controllers could bind to an incorrect address. This is now checked and resolved at bowtie-service boot.
  • Previously, services integral to BGP operation could enter a permanent-down state. New configuration changes ensure that attempts to restart an unhealthy BGP daemon will never fail permanently, but persistently retry with a moderate backoff.

    Note: BGP services may be inoperative but fail to broadcast network unavailability to other cluster peers, causing incorrect or unreachable routes. Investigative work into this failure mode is ongoing, but this change should mitigate some cases.

  • Configuration files for Controller DNS are now included in Controller support bundles.
  • Fixed an issue that could unintentionally cause systemd-networkd to restart on system update, potentially resulting in impacts to network connectivity.
  • Fixed an issue related to AllocationUnits in .ova files that prevented them from being imported into certain VMWare environments.
  • Fixed an issue that could cause reverse proxy configuration changes to fail on Controller update.
  • Fixed an issue that prevented a system service (caddy-supervisor.service) from starting correctly.
  • A regression preventing the telemetry preferences Control Plane page from rendering sample payloads has been resolved.
  • Fixed a table styling issue on Controller initial setup pages.

Features

  • Controllers now support the ability to create time-limited, serial console-only administrative user accounts for shell access from the Control Plane web interface. This feature is intended to aid administrators who may require host-level access without predefined access configured, such as via ssh. Consult the user documentation for temporary console users for additional information.

    Note: the addition of this feature does not create temporary administrative users by default, and may be disabled organization-wide if desired. Additionally, access is constrained to the equivalent of physical access to the controller. This feature does not enable remote access.

  • Controller images are now available for Incus and LXD.

Enhancements

  • Updated the base Controller appliance operating system to reflect the latest upstream package updates.

    The table below lists relevant user-facing packages that may impact custom configuration settings on deployed Controllers:

    Package Old Version New Version
    grafana 11.3.4 11.3.6
    linux 6.1.130 6.1.135
    nix 2.24.12 2.24.14
    caddy 2.9.1 2.10.0

    Vulnerabilities closed due to updated packages or backported patches include:

    Vulnerability Package Mitigation
    CVE-2024-56406 perl Patch backported by upstream

    At the time of writing, a scan of all operating system dependencies yielded no outstanding critical vulnerabilities requiring immediate action.

    When upgrading your Controller, please bear the following release notes in mind:

    • This update includes an update from Linux kernel version 6.1.130 to 6.1.135. System services should continue to operate normally across kernel updates, but if you require that the system run on the newer kernel, you should follow-up with any update actions with a system reboot to run on the newer kernel, but this step is not required.

Documentation

Fixes

  • Support for deploying Controllers on Kubernetes is undergoing frequent changes. Some sections of the documentation have been updated to reflect this.

    If your organization requires the ability to deploy on Kubernetes, please reach out to a member of our team, who will be able to assist.