Changes in the PowerDNS Recursor 4.2.0

The 4.2.0 release of the PowerDNS Recursor brings a lot of small, incremental changes over the 4.1.x releases. We expect little operational impact when upgrading from 4.1.x. However, several new features have been implemented and some features have changed.

This release was made possible by contributions from: Gibheer, cclauss, Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff, OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom Ivar Helbekkmo and Chris Hofstaedtler.  Thanks!

DNS Flag Day

The 4.2.0 release of the PowerDNS Recursor removes several workarounds for authoritative servers that respond badly to EDNS(0) queries. This is part of a multi-vendor effort known as DNS flag day to move the DNS ecosystem forward by being less lenient on non-conforming implementations.

XPF Support

This release adds support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04). This technique is roughly equivalent to HTTP’s X-Forwarded-For header, it can communicate the IP address and port of the original requestor from a loadbalancer/frontend (like dnsdist) to the backend server. This can allow the backend server to make decisions regarding that specific client. XPF is disabled by default and can be enabled by setting the xpf-allow-from setting to the source IP address of the front-end proxy and setting xpf-rr-code to the code of the resource record used by the frontend.

EDNS Client Subnet Improvements

More granularity has been added for the users of EDNS Client Subnet. The new ecs-add-for setting can be set to a list of netmasks for which the requestor’s IP address should be used as the EDNS Client Subnet for outgoing queries. For IP addresses not on this list, the PowerDNS Recursor will use the ecs-scope-zero-address instead, which matches the behavior of 4.1.x. Valid incoming ECS values from use-incoming-edns-subnet are not replaced.

New and Updated Settings

Sites that process large numbers of queries per second (100k+), may benefit from the new distributor-threads setting. This can be used in combination with pdns-distributes-queries=yes to spawn multiple threads that will pick up incoming queries and distribute them over the worker threads.

For several statistics, the PowerDNS Recursor uses a public suffix list to group queries. Before, this list was built into the binary and only updated for every release. This release adds the public-suffix-list-file setting that allows operators to supply their own public suffix list. This option is unset by default, which means the built-in list is used.

Over the last years it has become clear that many networks on the internet lose large UDP packets, leading to authoritative servers being seen as dead from the recursor’s perspective. To ensure return packets from authoritative servers have a better chance of reaching the recursor, the edns-outgoing-bufsize setting’s default has changed from 1680 to 1232. 1232 was chosen because it is the largest DNS response that can be carried on an IPv6 link with the IPv6 minimal MTU (1280). In tandem with this change, the udp-truncation-threshold that decides when to truncate responses to clients has also been changed from 1680 to 1232.

Looking Forward

After the release of 4.2.0, the regular bugfix and improvement processes will happen.

At the same time, we will be working on the next major release of the PowerDNS Recursor (probably numbered 5.0) for which we are planning several new and exciting features aimed at moving the DNS ecosystem to a more privacy-centric and secure place. To do this, we would like to implement QNAME Minimisation and support for (longlived) TLS connections to authoritatives.

Other improvements we’d like to implement is an experimental feature where the cache is shared between the worker threads.

If you have any ideas that should be in the PowerDNS Recursor in the future, you’re welcome to open a feature request on GitHub. And if you would want to help write these features, we are still looking for people! Have a look at our careers page or send you CV and motivation to

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s