After four release candidates, we are thrilled to announce the final release of dnsdist 1.5.0! This new release contains several new exciting features and a few breaking changes since 1.4.0, so please read the upgrade guide if you are upgrading from 1.4.0 or earlier. We described the changes made since 1.4.0 in details in the blog post announcing the first release candidate so will only do a quick summary below.
Important changes
In systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup.
We updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal()
are now specified as exact paths instead of path prefixes. The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal()
.
An ACL was added to the internal web server to further restrict access to authorized users.
The default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.
New features and improvements
The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor ;
We implemented a new spoofRawAction()
, which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.
While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performance almost on par with the built-in C++ rules and actions, with greater flexibility.
Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.
Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.
Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.
Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.
Bug Fixes
Several issues were fixed, most of them about compilation on very specific systems or setups. One notable fix was a regression introduced in 1.4.0 for DNSCrypt users, with our thanks to Frank Denis for reporting the issue and suggesting ways to fix it.
We want to once again thank everyone that contributed to the testing of the previous release candidates!
Please see the dnsdist website for the more complete changelog and the current documentation.
Release tarballs are available on the downloads website.
Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available. Building packages for Raspberry Pi OS (previously called Raspbian) takes a bit longer so those might only become available in a couple days.