PowerDNS Recursor 4.3.1, 4.2.2 and 4.1.16 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16, containing security fixes for three CVEs:

CVE-2020-10995
CVE-2020-12244
CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows malicious parties to use recursive DNS services to attack third party authoritative name servers. Severity is medium. We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated. Severity is medium. We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!

CVE-2020-10030: An attacker with enough privileges to change the hostname might be able to disclose uninitialized memory. This issue also affects the Authoritative Server and dnsdist; since the attack requires very high privileges and the issue does not affect Linux, we will not be releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.1 changelog, 4.2.2 changelog and 4.1.16 changelog for details.

The 4.3.1 tarball (signature), 4.2.2 tarball (signature) and 4.1.16 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Note that the 4.1 packages will be published later today.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second release candidate for dnsdist 1.5.0

We are very happy to announce the second release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1. If you upgrade from 1.4.0, please see the upgrade guide for more information.
This new release candidate has very few changes except a few minor bug fixes and cleanups since the first release candidate:

  • compilation was broken on SmartOS/illumos, and Solaris (9031) ;
  • the statistics for HTTP/1 were displayed twice instead of showing the HTTP/2 ones (9068) ;
  • if a backend was not reachable when first added, and multiple sockets were configured for that backend, the corresponding socket was not properly closed (9057) ;
  • several minor compilation warnings were fixed, along with some minor cleanups (9016 9042 9053 9054 9059 9067 9078 9084).


We want to once again thank everyone that contributed to the testing of alpha1 and the first release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

First Alpha Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the first alpha release of what should become PowerDNS Recursor 4.4.0.

This release contains various bug fixes, improvements and new features. The most important new features are

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of of an EDNS subnet mask, enabling for a more simple record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First release candidate for dnsdist 1.5.0

We are very happy to announce the first release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1. If you upgrade from 1.4.0, please see the upgrade guide for more information.
This new release candidate has very few changes since alpha1:

  • a compilation issue on OpenBSD was fixed (8955) ;
  • the Lua binding for SuffixMatchNode::remove was added (8956) ;
  • a regression introduced in 1.4.0 for DNSCrypt users was fixed (8974, 8976), with our thanks to Frank Denis for reporting the issue and suggesting ways to fix it ;
  • responses received from a backend with the QR bit not set are now dropped (8996) ;
  • an option to control the size of the TCP listen queue was added (8994).

We want to once again thank everyone that contributed to the testing of alpha1!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

PowerDNS Authoritative Server 4.2.2 Released

This release fixes issues in the IXFR receive code, improves cache management, and corrects a few other small things. If you use IXFR, please read the upgrade notes carefully.

Please see the changelog for more details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative 4.3.0

Hello!

We are proud to announce the release of PowerDNS Authoritative Server 4.3.0. A lot of internals have been reworked, with some visible changes for users. If you read the upgrade notes for a beta or RC, please read them again!

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First alpha release of dnsdist 1.5.0

We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This version contains several new exciting features detailed below, but also a few breaking changes so please take the time to read the next section.

Your feedback will be much appreciated so we can deliver a stable 1.5.0 final release!

Important changes

We took the opportunity of this new release to clean up a few things that might require updating your existing configuration.

First, in systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup. It is therefore recommended to recursively chown directories used by dnsdist:

chown -R root:dnsdist /etc/dnsdist

Packages provided on the PowerDNS Repository will chown directories created by them accordingly in the post-installation steps.

We also updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal are now specified as exact paths instead of path prefixes.

For example,

addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', { "/dns-query" })

will now only accept queries for /dns-query and no longer for /dns-query/foo/bar.

The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal().

Finally the default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.

Please see the upgrade guide for more information.

New features and improvements

The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor.

We implemented a new spoofRawAction(), which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.

While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performances almost on par with the built-in C++ rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.

Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.