We are very happy to announce the 1.4.0 alpha 1 release of dnsdist. This version contains a few new features, but is mostly focused on DNS privacy improvements. We are introducing a new, much more scalable way of handling DNS over TCP and DNS over TLS connections. It will be followed quite quickly by a new alpha including experimental DNS over HTTPS support.
In older versions of dnsdist, a TCP worker could only handle one incoming connection at a time, which was not very efficient when dealing with a larger number of mostly inactive connections, as we are beginning to see with DNS over TLS. Starting with this release, TCP workers are now event-based and each one of them can handle a very large number of incoming connections simultaneously.
Your feedback will be much appreciated so we can deliver a stable 1.4.0 final release!
Important changes
We took the opportunity of this new release to clean up a few things that might require updating your existing configuration. First, the number of parameters to the newPacketCache command was getting out of hand, so we switched it to a table-based syntax as we already did with newServer a while ago.
addLuaAction and addLuaResponseAction have been removed. Instead, use addAction with a LuaAction, or addResponseAction with a LuaResponseAction.
Lua constants for DNS response codes and QTypes have been moved from the ‘dnsdist’ prefix to, respectively, the DNSQType and DNSRCode prefixes.
To improve security, all ambient capabilities are now dropped after the startup phase, which might prevent launching the webserver on a privileged port at run-time, or impact some custom Lua code. In addition, systemd’s sandboxing features are now determined at compile-time, resulting in more restrictions on recent distributions. See pull requests 7138 and 6634 for more information.
And finally, if you are compiling dnsdist, note that several ./configure options have been renamed to provide a more consistent experience. Features that depend on an external component have been prefixed with –with while internal features use –enable. This has lead to the following changes:
- –enable-fstrm to –enable-dnstap
- –enable-gnutls to –with-gnutls
- –enable-libsodium to –with-libsodium
- –enable-libssl to –with-libssl
- –enable-re2 to –with-re2
New features and improvements
Dynamic blocks and Lua rules can now use the NoRecurse action, thanks to phonedph1.
Richard Gibson added the possibility to inspect and alter trailing data.
Dmitry Alenichev implemented new rules and actions to deal with unexpected EDNS versions, and to optionally accept completely empty (qdcount=0) responses from a backend.
Andrey Domas added the new QNameSetRule rule, along with the DNSNameSet object, to match exact qnames instead of doing suffix matching.
The health check mechanism has been improved with the new checkInterval, checkTimeout and rise parameters, thanks notably to “1848”.
We added a few convenience functions to pseudonymize IP addresses, as several users reported that they needed it to be GDPR-compliant.
We noticed that, on some specific versions of the Linux kernel, the code we used to measure our memory usage could be quite expensive so we switched to an alternative, cheaper method. You might notice that the memory usage reported by this new version does not exactly match the one reported by older versions, but it should be close enough.
Finally the cost of exporting queries and responses using our remote logging solution based on protobuf has been reduced by a huge margin. System calls that used to be cheap before the Spectre and Meltdown mitigations were introduced are now having a very visible impact, and we designed a new way of sending messages to work around that.
Please see the dnsdist website for the more complete changelog and the current documentation.
Release tarballs are available on the downloads website.
Several packages are also available on our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over TLS and DNSTap support, on distributions where the required dependencies were available.