We are very pleased to announce the availability of dnsdist 1.2.0, bringing a lot of new features and fixes since 1.1.0.
This release also addresses two security issues of low severity, CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist’s ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website. More information can be found in our security advisories 2017-01 and 2017-02.
- applying rules on cache hits
- addition of runtime changeable rules that matches IP address for a certain time: TimedIPSetRule
- SNMP support, exporting statistics and sending traps
- preventing the packet cache from ageing responses when deployed in front of authoritative servers
- TTL alteration capabilities
- consistent hash results over multiple deployments
- exporting CNAME records over protobuf
- tuning the size of the ringbuffers used to keep track of recent queries and responses
- various DNSCrypt-related fixes and improvements, including automatic key rotation
Users upgrading from a previous version should be aware that:
- the truncateTC option is now off by default, to follow the principle of least astonishment
- the signature of the addLocal() and setLocal() functions has been changed, to make it easier to add new parameters without breaking existing configurations
- the packet cache does not cache answers without any TTL anymore, to prevent them from being cached forever
- blockfilter has been removed, since it was completely redundant
This release also deprecates a number of functions, which will be removed in 1.3.0. Those functions had the drawback of making dnsdist’s configuration less consistent by hiding the fact that each rule is composed of a selector and an action. They are still supported in 1.2.0 but a warning is displayed whenever they are used, and a replacement suggested.
Release tarballs are available on the downloads website.
Several packages are also available on our repository.