# Release Notes > * added a Post-Quantum Cryptography `pqc` key exchange field in flows logs that indicates if a TLS handshake used a known [PQC TLS Supported Group](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8). The value may be _true_ or _false_ in case of TLS; or absent in the case of SSH. This feature, although in preview, can be used to assess PQC readiness in your outbound connections. * TLS SNI matching against user-defined rules is now case-insensitive to support client-side libraries that did not lowercase user input before initiating a new outbound connection * broadened support for some legacy SSH ciphers * lowered disk usage and telemetry data collection volume (when left enabled) * a mitigation for [CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431) (aka [Copy.Fail](https://copy.fail/)) is included with package _kmod_ version _31+20240202-2ubuntu7.2_, [as advised by Canonical](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available) * version of bundled Public Suffix List: [8b4345f](https://github.com/publicsuffix/list/blob/8b4345f9a2513011b21e6fc7b8a7197a849be52c/public_suffix_list.dat) ## version 2.40 (2026-05-06) * added a Post-Quantum Cryptography `pqc` key exchange field in flows logs that indicates if a TLS handshake used a known [PQC TLS Supported Group](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8). The value may be _true_ or _false_ in case of TLS; or absent in the case of SSH. This feature, although in preview, can be used to assess PQC readiness in your outbound connections. * TLS SNI matching against user-defined rules is now case-insensitive to support client-side libraries that did not lowercase user input before initiating a new outbound connection * broadened support for some legacy SSH ciphers * lowered disk usage and telemetry data collection volume (when left enabled) * a mitigation for [CVE-2026-31431](https://ubuntu.com/security/CVE-2026-31431) (aka [Copy.Fail](https://copy.fail/)) is included with package _kmod_ version _31+20240202-2ubuntu7.2_, [as advised by Canonical](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available) * version of bundled Public Suffix List: [8b4345f](https://github.com/publicsuffix/list/blob/8b4345f9a2513011b21e6fc7b8a7197a849be52c/public_suffix_list.dat) **Terraform Updates** * `custom_deployment_id` added to Terraform modules to afford parallel but distinct deployments in the same AWS account. External IPs, the CloudWatch Log Group name and Default Preferences can now have a unique identifier tied into a DiscrimiNAT deployment of the same ID. * DiscrimiNAT instances are now able to read their own tags via the metadata service. This is necessary for the feature above to work. * full diff between previous and this version can be found [here](https://github.com/ChaserSystems/terraform-aws-discriminat-gwlb/compare/2.30.0...2.40.0) for the **-gwlb** module, and [here](https://github.com/ChaserSystems/terraform-aws-discriminat-eni/compare/2.30.0...2.40.0) for the **-eni** module ## version 2.30 (2026-03-12) * improved and quicker new ENI detection. This should improve new ECS Task detection as a side-effect. * a new log message `undiscovered client` in case an ENI has not yet been polled and discovered by DiscrimiNAT, separating this circumstance from the `no matching rules found` log message * Post-Quantum Cryptography (PQC) TLS cipher exchange in ClientHello support **in preview** even if the handshake is split over multiple IP packets * fixed a bug where ENIs of type 'branch' were causing all known ENIs (clients) to be dropped * version of bundled Public Suffix List: [7ef6384](https://github.com/publicsuffix/list/blob/7ef6384612e1b48bb8b6023716cc9a493ac25d8a/public_suffix_list.dat) ## version 2.20 (2025-08-27) * wildcard matched FQDNs no longer cause a `cache not ready` flow log event on DiscrimiNAT instance restart or upgrade. This is accomplished by sharing knowledge of such FQDNs between DiscrimiNATs: * by discovering peers which either have label key or label value set to `discriminat` (case-insensitive) * exchanging knowledge continuously over port 1042 UDP with peers * incoming peers learn from outgoing peers during a rolling restart/upgrade * related and necessary changes have been made in all our Terraform (and other IaC) modules * messaging between peers is encrypted and authenticated, and does not contain policy * caveats: * upgrading from any version older than 2.20 will, for once and the last time, cause wildcard matching FQDNs to not work for a few seconds until the cache is warmed up again * from v2.20 onwards, this should not occur as long as one-at-a-time rolling upgrades are made (default behaviour of our IaC modules) * single-instance deployments will continue to lose memory of wildcard matched FQDNs and require a few seconds to allow them again after first encounter * new config log _reason_: `malformed fqdn`. This is emitted in case a syntactically invalid domain name is specified in an allowlist * improvement in how quickly new clients (Elastic Network Interfaces) are detected * version of bundled Public Suffix List: [44211b0](https://github.com/publicsuffix/list/blob/44211b0fbb8b4e09b89a553f5b26c6a02f889c4b/public_suffix_list.dat) * underlying OS has been changed from Ubuntu 20.04 LTS to Ubuntu 24.04 LTS * version number strategy has changed: * DiscrimiNAT itself will only use Major and Minor in its version numbers, and not use the Patch level from the [semantic versioning scheme](https://semver.org/). For example, this release is 2.20 instead of 2.20.0 * related components to a specific version of DiscrimiNAT will follow the full semantic versioning scheme, where the Major and Minor will correspond to the recommended version of DiscrimiNAT. For example, Terraform modules' version 2.20.0, 2.20.1, 2.20.2 and so on will be best suited for DiscrimiNAT 2.20 **Terraform Updates** * allowed UDP port 1042 to and from DiscrimiNATs' security group for messaging between peers, as mentioned above * added tags to launch template network interfaces * added tags to a few other resources * full diff between previous version and this can be found [here](https://github.com/ChaserSystems/terraform-aws-discriminat-gwlb/compare/2.9.0...2.20.0) for the **-gwlb** module, and [here](https://github.com/ChaserSystems/terraform-aws-discriminat-eni/compare/2.9.0...2.20.0) for the **-eni** module ## version 2.9.0 (2024-11-28) * default preferences (see [docs](/docs/discriminat/aws/default-prefs/)), of which there are four at this time, can now be stored in an SSM Parameter named `DiscrimiNAT` (case-sensitive): * `wildcard_exposure`: control whether `*` is accepted in FQDNs or not, and if accepted, with prohibit [public suffix](https://publicsuffix.org/) safeguard or not. **Please familiarise yourself with [operation and caveats](/blog/wildcards-and-system-2-thinking/#operation) on the behaviour of wildcard rules before using them.** * `flow_log_verbosity`: control whether all logs are emitted, just _disallowed_ or none at all * `see_thru`: set non-blocking, monitoring _see-thru_ mode as a default (useful with new deployments so traffic is not blocked upon deployment) * `x509_crls`: whether to automatically allow CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted. This was a feature introduced in v2.7.0 * list of FQDNs for allowlisting, in JSON format, can now be read in from an SSM Parameter or a Secret in Secrets Manager * format is `{"addrs": ["fqdn1.com", "*.github.com", ...]}` * a symbolic reference of the Parameter/Secret, using its full ARN, will need to be added to the Security Group Rules' description field instead of comma-separated FQDNs. For example, `discriminat:tls:arn:aws:ssm:eu-west-2:111111111111:parameter/team-foo-allowed-fqdns` and `discriminat:tls:arn:aws:secretsmanager:eu-west-2:111111111111:secret:service-foo-allowed-fqdns` * DiscrimiNAT's IAM Role's Policy will need _ssm:GetParameter_ (for SSM Parameters) and _secretsmanager:GetSecretValue_ (for Secret) permissions on the ARNs referred * **previous method of storing comma-separated FQDNs in Security Group Rules' description fields is preserved and will continue to work** * version of bundled Public Suffix List: [931546b](https://github.com/publicsuffix/list/blob/931546b3beb45b544d0692aa116b420fb34b9dfa/public_suffix_list.dat) * improvement in startup time with a large allowlist (>500 FQDNs) * new config log _reason_: `rejected`. This is emitted in case a wildcard FQDN is specified but the _wildcard\_exposure_ preference value does not allow its inclusion. For example, ``{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}`` * raw packet captures (PCAP) for ~10 seconds may be included in telemetry data if Automated System Health Reporting is not opted out of * fixed a bug where wildcard matched FQDNs would not be allowed, until the cache for them was warmed up, in spite of _see-thru_ mode being set * fixed occassional "spoofing detected" flow logs disallowing connections to Cloudinary and Azure Cloud CDN FQDNs * TLS and SSH connectivity improvements to some hosts that would not acknowledge trailing zeroes in padding bytes of a handshake * absence of leading zeroes in month and date components of a _see-thru_ date now works. For example, previously, `2024-9-1` would not have worked, however, `2024-09-01` would have. Both work now. * wildcard matched connections are now timed out on first attempt, instead of connection reset, until the cache has warmed up for them. This reduces the number of attempts made by an app/client when accessing a wildcarded FQDN for the first time. **Breaking Changes** * plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted are no longer allowed automatically. Set the preference `x509_crls` to `auto_allow` to restore previous behaviour. If you did not know about this, you are likely not affected. We have proactively informed the customers we definitely knew were relying on this. **Terraform Updates** * [preferences' defaults](/docs/discriminat/aws/default-prefs/) in JSON format are deployed automatically, along with the IAM Policy permission for DiscrimiNAT to be able to read them, from v2.9.0 of our Terraform module to serve as a starting point. Can be overriden from the new `preferences` variable. * option to disable automatic updates to the Launch Template when a new DiscrimiNAT AMI version is available with the `ami_auto_update` boolean variable * renamed variable `ami_name` to `ami_version`. It now accepts the _semver_ for DiscrimiNAT. * list-type variables `iam_get_additional_ssm_params` and `iam_get_additional_secrets` introduced to automatically add IAM Get permissions on DiscrimiNAT's IAM Role's Policy for the ones specified. This enables DiscrimiNAT to read allowlists specified in these resources. * full diff between previous version and this can be found [here](https://github.com/ChaserSystems/terraform-aws-discriminat-gwlb/compare/2.8.0...2.9.0) for the **-gwlb** module, and [here](https://github.com/ChaserSystems/terraform-aws-discriminat-eni/compare/2.8.0...2.9.0) for the **-eni** module ## version 2.8.0 (2024-08-20) * wildcard support is now in preview: * they are supported for the TLS protocol only * the character `_` may be used to substitute one wild character in an FQDN to be allowed * the set of wild characters is from `a` to `z`, `0` to `9` and the `-` (hyphen or minus) only; the `.` (period, dot or fullstop) character is not included * you may use any number of wildcards in a single FQDN address (in the allowlist) * see our [dedicated page on using wildcards](/blog/wildcards-and-system-2-thinking/) with examples and the caveats expected in this preview; ensure you've read the __Operation section__ as well * further improvements are expected in the next version of DiscrimiNAT; please [write to us](/support/) with your experience on using this feature * suppressed repetitive warning log messages `no ip addresses resolved` about CRL endpoint `crl.comodo.net` * improved compatibility with proprietary SSH server-side implementations, such as GoAnywhere, that send a larger than normal list of ciphers during the initial handshake * Terraform module [v2.8.0](https://registry.terraform.io/modules/ChaserSystems/discriminat-gwlb/aws/2.8.0) will need to be used to deploy the v2.8.x AMIs of DiscrimiNAT ## version 2.7.1 (2024-02-12) * `warning` type messages in `config` logs now do not repeat before 10 minutes. This will reduce the frequency of `no ip addresses resolved`, etc. log messages significantly. * disabling **Automated System Health Reporting** can now be done by setting variable `ashr` to `false` from Terraform module [v2.7.1](https://registry.terraform.io/modules/ChaserSystems/discriminat-gwlb/aws/2.7.1) onwards. The earlier method will continue to work. * automated system health reporting, if left enabled, now runs at shutdown too. * automatically allowed CRL Endpoints of x509 SSL certificates now emit the name of the otherwise allowed FQDN and the issuing CA in the certificate chain, from which the CRL Endpoint was determined, in the `reason` field of the `config` log. For example, `crl endpoint from issuer GTS Root R1 in certificate chain of trends.google.com`. ## version 2.7.0 (2024-01-14) * HTTP `flow` Logs: additional log fields of `http_method`, `http_user_agent` and `http_path` will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the message `insecure protocol, use https`, though. * CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods `HEAD` and `GET` are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed. * `no ip addresses resolved` warning message in `config` log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties. * Terraform module [v2.7.0](https://registry.terraform.io/modules/ChaserSystems/discriminat-gwlb/aws/2.7.0) update: variable ~~`startup_script_base64`~~ has been renamed `user_data_base64`. * **Automated System Health Reporting:** 10 minutes after boot and then at around 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS. Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users interact with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls. We understand if certain environments within your deployment would rather not have this turned on. **To disable it,** a file at the path `/etc/chaser/disable_automated-system-health-reporting` should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement: ``` user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo=" ``` The _base64_ value above decodes to: ``` #cloud-config write_files: - path: /etc/chaser/disable_automated-system-health-reporting ``` Which is a [cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/examples.html) way of creating that file in the instance. * Instance types `c5.large`, `c5.xlarge`, `c5.2xlarge`, `c6i.2xlarge` and `c6a.2xlarge` are no longer supported. Please choose from one of `t3.small`, `c6i.large`, `c6i.xlarge`, `c6a.large` and `c6a.xlarge`. * DiscrimiNAT Firewall's product code on the AWS Marketplace has changed from ~~`a83las5cq95zkg3x8i17x6wyy`~~ to `bz1yq0sc5ta99w5j7jjwzym8g`. This has no impact on users unless they had been using the product code to lookup its AMI ID, for example. Terraform modules version 2.7.0 onward encapsulate this change. ## version 2.6.1 (2023-10-13) * health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs) * two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue: * for example `test for TLS on 203.0.113.5:80 failed` – port 80 was not listening with TLS * and for example `timed out testing connection to 203.0.113.6:443` – port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view) ## version 2.6.0 (2023-07-24) * the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example `discriminat:tls:203.0.113.9` * the _see-thru_ monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Security Groups. Previously, it had required IP addresses to be set to `0.0.0.0/0` and Ports & Protocols to be to set to _all_. * two new `flow` log `reason` messages when a network packet is `disallowed` have been introduced: * `cache not ready`: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.) * `spoofing detected`: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.) * enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE * enabled ciphers **without** Forward Secrecy for TLS 1.2 * instance types have been updated to `t3.small`, `c6i.large`, `c6i.xlarge`, `c6i.2xlarge`, `c6a.large`, `c6a.xlarge`, `c6a.2xlarge`, `c5.large`,`c5.xlarge` and `c5.2xlarge`. Note that the `c6a` AMD types, although cheaper and equally performant, may not be available in all Availability Zones. **Breaking Changes** * the `config` log has its `fqdn` field name changed to `addr`. Field names have not changed in the `flow` log. * in the `config` log, association of a public IP for egress from the firewall had its category (`cat` field) set to `static-ip`. This is now set to `egress-ip`. ## version 2.5.3 (2023-05-31) * increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them ## version 2.5.2 (2023-03-27) * change of base OS from Ubuntu 18.04 to Ubuntu 20.04 The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4. ## version 2.5.1 (2023-02-03) * general OS updates ## version 2.5.0 (2022-11-07) * DiscrimiNAT now supports load balancing, high availability and auto scaling with [AWS' Gateway Load Balancer (GWLB)](https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/). * With the GWLB, the [RTO](https://en.wikipedia.org/wiki/Disaster_recovery#Recovery_Time_Objective) for DiscrimiNAT is reduced from ~120 seconds to 10 seconds! * [New `-gwlb` Terraform module published at the registry](https://registry.terraform.io/modules/ChaserSystems/discriminat-gwlb/aws) to deploy a load balancing, highly available and an auto scaling set of DiscrimiNAT Firewalls. **Breaking Changes** * CloudWatch log group name changed from `discrimiNAT` to `DiscrimiNAT`. The first letter of the word **D**iscrimiNAT is, and going-forwards will be, in upper-case. * IAM Policy has been updated to reflect the upper-case letter **D**. * AMI name has seen the same change. * A new patch version, [2.4.1, of the ENI Terraform module](https://registry.terraform.io/modules/ChaserSystems/discriminat-eni/aws/2.4.1) has been released that constrains it to DiscrimiNAT version 2.4.x AMIs only. The ENI Terraform module will be updated in due course to support DiscrimiNAT version 2.5.x and onwards. ## version 2.4.2 (2022-10-11) * improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy) ## version 2.4.1 (2022-05-11) * fixed a sporadic connection reset issue, that emitted `unexpected response` in the logs, and which only occurred in the `see-thru` monitoring mode while connecting to a destination at very high latency ## version 2.4.0 (2022-03-01) * new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails * added support for [self-attaching an allocated Elastic IP](/docs/discriminat/aws/iam-instance-profile#elastic-ips) * discrimiNAT's own instance ID added to every log line under the key `instance`, indicating which instance the log line was emitted from * updated [TLS ECH draft extension](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/) identifiers ## version 2.2.0 (2021-09-06) * [see-thru mode](/docs/discriminat/aws/config-ref#see-thru-mode) introduced; build allowlists super-quick by putting a Security Group in monitor mode first * serverless support introduced; Lambdas etc. with an interface in the VPC will have their outbound traffic filtered * full bypass hook added; please reach out to [support](/support) for instructions on this ## version 2.1.0 (2021-08-19) * improved handling for a large number of FQDNs in the allowlists * updated [TLS ECH draft extension](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/) identifiers ## version 2.0.5 (2021-05-11) * restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in ## version 2.0.4 (2021-04-07) * updated [TLS ECH draft extension](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/) identifiers ## version 2.0.3 (2020-11-10) * v2 launch * completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall * rewritten in Rust ## version 20200524 (2020-05-27) _available on request; v1 is now deprecated; please upgrade to v2_ ## version 20200516 (2020-05-20) _available on request; v1 is now deprecated; please upgrade to v2_ ## version 20191207 (2019-12-10) _available on request; v1 is now deprecated; please upgrade to v2_ ## version 20191108 (2019-11-12) _available on request; v1 is now deprecated; please upgrade to v2_ ## version 20190911 (2019-09-13) * v1 launch